Huge fines await companies unaware of GDPR's broad scope

When finally effective on May 25, 2018, the European Union’s long-anticipated General Data Protection Regulation (GDPR) will dramatically expand the scope of entities covered by the European data protection framework, imposing EU regulation on a wide range of U.S. companies that utilize the personal information of EU individuals in their businesses but were not previously subject to EU data protection protocols.

While many U.S. companies have recognized and are prepared to meet this considerable new compliance challenge, others remain unaware of the obligations it will impose (or, in some cases, of the GDPR’s very existence) or have simply forgotten. This is true despite the fact that many of these entities’ are generally aware of privacy protection-related risk, and maintain privacy and network security (“cyber”) insurance coverage to protect against such risk.

Given the GDPR’s newly imposed 72-hour deadline for notifying regulators of a known data breach, the need to quickly respond to data breaches once improper disclosure of “personal data” is discovered, other new and/or enhanced compliance obligations imposed by the GDPR with respect to personal data, and the stiff fines associated with non-compliance, lack of GDPR-awareness poses obvious and serious risks for these companies, as well as for cyber carriers eventually tasked with resulting claims.

Related: Here’s what risk managers need to know about the EU’s GDPR

Out with the old, in with the new

The GDPR replaces the 1995 EU Data Directive (“Directive”) and will apply to organizations involved in the “processing” of the “personal data” of individual EU citizens. Though ostensibly intended to introduce a set of standardized data protection laws across all EU member countries, the GDPR will also greatly enhance the protections afforded by European data protection laws by widening the territorial reach of such laws, imposing new and expanded obligations on data “processors” and “controllers”, and broadening what constitutes “personal data” entitled to regulatory protection, among other things.

For example, while a U.S. entity with no physical presence in the EU is generally not subject to the Directive, that entity may become subject to the GDPR simply because it processed data in connection with (“in the context of”) an EU-based “establishment.”

Similarly, a U.S. company processing EU-related data insufficient on its own to fully identify an individual (that is, to constitute “personal data” under the Directive) may now find itself within the GDPR’s scope if that same data, such as a phone number, is related to an identifiable person, thereby placing it within the broader definition of “personal data” under the GDPR.

In sum, these GDPR enhancements will significantly increase the number of U.S. businesses utilizing EU-centric personal data that will be subject to EU regulation.

A U.S. organization unaware or forgetful of its new GDPR obligations poses an obvious and significant liability risk. For example, GDPR Article 33 imposes strict notice requirements in the event of a data breach, generally requiring an entity subject to the GDPR to notify the relevant supervisory authority “not later than 72 hours” after it becomes aware of the breach.

Where a U.S. company is aware of a breach related to specific data it has processed but is unaware that it and/or its activities related to that data are subject to strict new GDPR notice deadlines, it is easy to see how 72 hours can pass without that company taking action — including notifying appropriate EU authorities.

An organization’s first inkling that it has violated the GDPR may take the form of a written notification from a supervisory authority or a lawsuit, received weeks or even months after it first learned of the unlawful disclosure.

Under GDPR Article 83, such failure to timely provide notice can result in fines ranging as high as $12 million (USD) or, under certain circumstances, up to 2% of the “total worldwide annual turnover of the preceding financial year,” whichever is higher. Moreover, the ultimate severity of the fines may be based on certain factors the supervisory authority may consider at its discretion, including, but not limited to, the duration of the infringement, the number of EU individuals affected, mitigation efforts undertaken, and the manner in which the infringement became known to the authority.

The longer the insured delays in providing notice of the breach (if it provides notice at all), the more likely these factors will lead to substantial fines.

Indeed, the sheer magnitude of potential GDPR fines or penalties associated with the “72-hour rule” has major implications not only for the subject entity but for its cyber insurer as well. While certain “cyber” policies bar coverage for fines and penalties, others may not.

Even those policies that exclude coverage for fines with respect to certain claims may provide specific coverage for regulatory proceedings (typically initiated by a written demand or complaint by a government authority) and resulting regulatory “expenses” (which can include civil fines and penalties).

Related: GDPR noncompliance poses a real insurance risk

Complying with GDPR is a must

Certain expenses are sure to be exacerbated by delays in responding to data breaches. For example, delays may mean more individuals will be impacted by the disclosure, thereby increasing notification and credit/identity monitoring costs. Legal defense, crisis management and other investigative expenses are also certain to increase the longer a breach goes unaddressed. Like fines and penalties, these costs may or may not be subject to insurance coverage under applicable policies. 

The GDPR also imposes new and/or expanded standards and duties on companies related to, among other things, organizational structure, the relationships between companies utilizing data and the actual “processing” of personal data. 

Simply put, failure to recognize and comply with GDPR directives exposes U.S. companies (and/or their insurers) to potentially catastrophic fines and expenses and threatens these entities’ continued business viability not only within the EU, but worldwide. It is therefore essential that all insurance underwriters, legal counsel, and other supporting professionals ensure top-of-mind awareness of, and across-the-board compliance with, the GDPR.

Related: Anticipating GDPR’s significant impact on insurance

Eric Lidman is the Assistant Vice President, Specialty Claims (Management Liability & Professional Lines), for professional liability, technology errors & omissions and cyber liability claims, QBE North America. He can be reached at Eric.Lidman@us.qbe.com