European lawmakers decided to update and harmonize the region's data protection laws as a response to the challenges of the 21st century triggered by new technologies, new business models and new cyber risks.

Starting in late May 2018, the long-awaited General Data Protection Regulation (GDPR) will apply across the European Union, representing the biggest shake-up of data protection laws in the digital age.

With GDPR implementation now just weeks away, what can businesses expect and how should they prepare?

The processing and protection of personal data has become a hot topic in recent years as more personal data is created and managed through the digitization of everything from shopping to health care, not to mention the emergence of mobile apps and social media.

|

Data management risks

According to a 2017 Ponemon Institute study, there are 24,000 records in an average data breach, at an average cost of $141 per record.

The average data breach cost to a company is $3.62 million, and there is a 27.7% likelihood of a recurring material data breach over the next two years.

Consider the data breach at credit monitoring firm Equifax, which potentially affected 145 million people, along with the recently disclosed breach at Uber, which may have exposed the accounts of 57 million customers.

European lawmakers decided to update and harmonize the region's data protection laws as a response to the challenges of the 21st century triggered by new technologies, new business models and new cyber risks. The General Data Protection Regulation (GDPR) will replace the EU's existing guideline enacted in 1995.

|

GDPR 101

GDPR is a set of rules and requirements aimed at protecting personal data held by businesses and other organizations.

Currently, data protection laws vary by country, but the GDPR will harmonize privacy rules across all 28 EU countries.

The new rules strengthen the role and powers of data authorities, affirm additional rights to data subjects (principally, every individual), enhance potential fines and sanctions and define additional requirements for organizations to protect personal data.

These requirements include but are not limited to implementing certain policies and processes, developing an effective internal data protection management system and appointing a data protection officer.

The GDPR protects the personal identifiable information of individuals with permanent residence in the EU, but it will also have legal reference for European Economic Area (EEA) countries.

Basically, only information of natural persons is in scope and corporate data is out of scope.

Any company that controls personal data or processes personal data by itself or on behalf of another company must comply with the GDPR, even if the company is based outside the EU. The GDPR is not linked to an EU passport and does not apply for EU nationals with permanent residence outside of the EU.

Small-to-medium-sized enterprises (SMEs) are also subject to the GDPR. The GDPR may grant some flexibility to smaller companies, but in general the GDPR pays no special attention to a company's size.

Many GDPR requirements to protect personal data already exist under national laws, but the GDPR sets a new tone and improves the principles of processing personal data, the accountability and obligations of legal entities, the data subject's access requests and regulatory oversight power. The GDPR is more an evolution to existing EU data protection laws than a revolution.

In addition to the extended extra-territorial scope, the GDPR also significantly increases the possibility of higher fines and sanctions to non-compliant companies. It contains a catalog of different breaches with maximum limits.

Businesses will be much more challenged to understand their risk exposure and their data protection management will be in the spotlight. Data protection will be a top risk for companies, especially considering the potential reputational risks they face as a consequence of data breaches or poor handling of personal data.

|

GDPR challenges

There are many challenging issues from an organizational and technical perspective.

Chief among them is the timeline for implementation, which is ambitious and difficult to meet, especially because many requirements will not be sufficiently defined by the GDPR itself or the authorities until May 2018.

The most prominent and complex new change is the data subject's “right to be forgotten.” This means an individual can request that a company erases their respective personal data.

Companies will need to put processes in place to locate the data and comply with these requests, although deleting a single data record that may have been copied to numerous databases, aggregated, or shared with a third party may not be simple.

Another major challenge of GDPR compliance is the new requirement to notify authorities of a data breach within 72 hours of its occurrence. This has implications for risk management.

Companies will need to put adequate processes and systems in place to identify what data is affected and to improve internal collaboration before informing the regulator. Consecutive breaches will result in higher penalties and stricter regulatory monitoring.

|

GDPR enforcement

While the regulatory response to a data breach may differ between countries, generally we would expect to see more and larger fines for data breaches under the GDPR.

The new rules give authorities the ability to levy fines of up to 4% of a company's global revenues (at the group level not just the single legal entity level) and a personal liability of up to 20 million euros. This would be far higher than the current maximum fines of 500,000 pounds, or roughly $707,300, in the United Kingdom and 300,000 euros, or $710,000, in Germany.

Authorities in individual EU countries will be responsible for enforcing the GDPR in each member state, meaning that some could take a more aggressive stance than others, for example when it comes to fines.

Additionally, the European Data Protection Board will mediate conflicts between national authorities and issue guidelines on dispute findings with more or less binding effect. Data subjects, companies or regulators can seek a final decision in matters of dispute with the European Court of Justice.

|

How ready are businesses for GDPR?

GDPR readiness depends on the individual business and its size.

A number of EU countries and certain sectors, such as telecommunications and financial institutions, are already subject to higher levels of data protection regulation.

More generally, most companies are on their way to compliance but aren't there yet. Many do not yet have the systems and processes in place to handle the “right to be forgotten” requirement. Others are not prepared for making sure their legacy data is compliant.

If a company realizes it will not be compliant by May 2018, it should reach out to authorities and engage in a dialogue ahead of time, rather than hide and hope nothing happens.

The GDPR does not establish any grace period, so each case would be individually assessed by the respective authority.

|

Counting down to GDPR enactment

Companies of all sizes need to get a clear understanding of the personal data they are processing: how much, what information, where it is stored and with whom it is shared.

If the company determines that its data processing activity would pose a “high risk” to the GDPR requirements and the “rights and freedoms” of individuals, they would also need to conduct and document a detailed data privacy impact assessment, keeping in mind that it is the domicile of the data subject, not the company, that generally determines who is in scope of the GDPR.

The recent Paradise Papers data breach, which included personal data of EU resident clients of an offshore law firm, would have been covered under the GDPR.

Being well prepared for a data breach will help reduce the reputational impact as well as the business interruption. Past experience has shown that the way in which an organization manages a breach has a direct impact on the cost, and this will become even more the case under the GDPR.

Authorities are more likely to penalize companies that are not well prepared and do not handle breaches according to best practices.

|

The risk manager's role in GDPR preparations

It has taken time for companies to realize the extent of the exposure, but now we see that the risk management function is highly involved in an organization's GDPR projects.

However, risk management should keep data privacy on the risk agenda even after “readiness” projects are concluded.

The GDPR also requires “privacy by design” and “privacy by default” to encourage data protection from the earliest stage of any project or initiative. A robust privacy check early in the beginning of every project or new process will become a mandatory internal requirement. Since the GDPR is not a one-off implementation, it will require a continuous risk approach.

Cyber insurance can help with aspects of compliance. Insurance, for example, often includes consulting and incident planning services, as well as breach response services. If a company suffers a breach it will need access to expertise, such as specialist lawyers, IT forensics and crisis management consultants.

Insurance provides instant access to these experts and helps demonstrate to authorities that a company has taken immediate and appropriate steps to reduce the impact of a data breach, as well as to meet regulatory requirements and deadlines.

|

GDPR's impact

A common saying in the field is, 'You can have security without privacy but you cannot have privacy without security.' If companies approach GDPR requirements with due diligence, they are bound to augment cyber security through process refinement, increased awareness and often a growth in the security budget in order to deploy additional security measures.

The GDPR is expected to support uptake of cyber insurance. But ultimately it will be up to individual companies to decide how to best allocate their risk management and security budgets.

Emy R. Donavan is global head of the Cyber & Tech PI division at Allianz Global Corporate & Specialty. She can be reached by sending email to [email protected].

See also:

Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader

Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.