Related: Is cyber insurance prepared for GDPR?

What this means for U.S. insurers

Current U.S. based data privacy regulations require companies to notify customers if a data breach occurs. But in the U.S., there can be a significant time delay between the breach and the notification letter, not so with GDPR. GDPR requires the Supervisory Authorities be notified within 72 hours, even while a breach is still being investigated.  Failure to report within 72 hours could lead to significant fines. Maximum fines could be up to $26MM or 4% of global gross revenue, whichever is greater.

Insurance companies selling plans to EU citizens purchasing homes, rental properties or commercial properties in the U.S. could be affected by GDPR because they gather Personal Data on applications and store data on customers. If a hacker is able to breach the insurance company's systems and gain access to EU citizen data, the company would be required to notify GDPR Supervisory Authorities and prove that it met all GDPR requirements. Failure to cooperate with an investigation or to meet GDPR requirements could lead to fines or worse.

Related: Cyber risk management a top priority as companies prepare for GDPR

Where to begin

The first step toward compliance for any company is determining the need for and if necessary, assigning a Data Protection Officer (DPO). A company will be required to have a DPO if it possesses large amounts of data covered by GDPR. The DPO must be available and involved in any events where there is a possibility of a loss of GDPR covered data. The DPO will be the point person for any GDPR issue with the affected persons and the Supervisory Authority. Obviously, because the DPO will be instrumental in proving a company's compliance with GDPR this individual needs to know the regulations and the company's security protocols inside and out, backward and forward. If a company is not required to have a DPO, it should still have a plan in place for who it will call if the Supervisory Authority opens an investigation.

Related: 5 hallmarks of insurance industry digital leaders

Additionally, any Personal Data that is lawfully received, stored or processed by a company needs to be encrypted. This means completely encrypted at rest and in transit, complete end to end encryption. GDPR does not allow for lenience regarding outdated software or new implementations that are being investigated for deployment.

Companies will also now be required to complete Data Protection Assessments and Privacy Impact Assessments. They will be expected to increase visibility into what level of impact a breach might have for customers and the company, if one occurs. And, all efforts made to comply with GDPR need to be documented so they can be given to a Supervisory Authority upon request. The best source of information on the regulation requirements is gdpr-info.eu.

The road ahead

Once GDPR takes effect, if a company experiences a breach or is contacted by a GDPR Supervisory Authority the best course of action is to show an attitude of compliance by offering complete support for the investigation. Then, contact the legal team. It is important to remember that complying with GDPR can be complex. It takes some time to update systems and processes to the level of security required by the new regulations. It can also be costly, and disruptive, but the protection of data is becoming paramount in the new business paradigm. For GDPR the cost of compliance is geared to be less than the cost of sanctions.

John Barchie is a senior fellow at Arrakis Consulting, a full-service security service provider, develops and executes security solutions for clients ranging from startups to Fortune 10 corporations.

See also:

Marsh's updated political risk map sees tensions and turbulence for 2018

Top 10 writers of cybersecurity insurance