A new European Union (EU) regulation on Internet data privacy stands to impact U.S. individuals and companies. The General Data Protection Regulation (GDPR) regulation (Regulation (EU) 2016/679) is effective May 25, 2018, a replacement of the less stringent 1995 Data Protection Directive. The regulation intends to give individuals the right to control their own personal data (personally identifiable information), and provide them with easier access to their personal data, with clear and easily understandable information on processing so that individuals will be able to gain insight as to how their information is used. Under the GDPR, an individual can request that their personal data be erased once it is no longer needed for its original purpose, or if the person no longer consents to the processing of their personal data. Unless an exception applies, a company has just one month to erase all of the person's personal data wherever it is stored.
In addition, the GDPR requires that businesses report data breaches within 72 hours of discovery to regulatory authorities; and in high-risk scenarios, to follow this reporting by notifying the individuals whose data may have been compromised. Businesses will have an obligation to take security measures, regardless if there is a data breach. Violations of the GDPR are subject to potential fines of the higher of €20 million (almost $25 million U.S.), or 4% of the company's total annual revenue turnover of the preceding financial year. In addition, potential prosecution of the company's directors and officers for deliberately caused data breaches is possible. With the need to be proactive in implementing security measures and comply with data breach requirements, it will be important for businesses to consider the need for cyber liability insurance. For example, the ISO Commercial Cyber Insurance Policy provides coverage for security breach expenses, including fines or penalties imposed by law, the costs to investigate the breach, the costs to notify affected parties of the breach, and to provide post-event monitoring.
Under many U.S. laws and statutes, customer accounts and employee records must be maintained for specific time periods (some forever), subject to fines and penalties for violations. Some of these records retention laws conflict with the requirements of the GDPR.
The GDPR applies to any person or company who processes personal data in connection with an organization established in the EU. The regulation extends to the U.S. and other countries not headquartered in Europe, as it applies to organizations that sell goods or services to, or who monitor individuals in, the EU. A single transaction cannot subject a company to the GDPR requirements; however, if the company has a website and they intend to direct that website to people in the EU, the GDPR will apply. For example, if the website displays prices or accepts transactions in EU currency, or if it mentions customers or users in the EU.
Personal data as used in the GDPR is broad and can encompass any information that directly or indirectly relates to an identified or identifiable person. It can include the person's name, identification number, address, email address, phone number, any account numbers, or any other identifiable information such as Internet protocol address, cookie identifiers, or even information recorded by fitness tracking devices.
Processing of data can encompass any operation performed on personal data by any means – collecting, transmitting, retrieving, storing or any use of personal data, regardless of the purpose for such use or storage.
In answer to the conflict that arises between compliance with the GDPR and also complying with U.S. data retention requirements, the GDPR does permit private companies to reject an individual's request to erase personal data where the company has "compelling legitimate grounds" to continue processing (including storing) the individual's personal data. While the GDPR lists five other factors that could allow processing of personal data, such as for the performance of a contract or by individual's consent, these factors have issues that would make it difficult for businesses to comply. In addition, the company's legitimate interest does not have to be based in EU or Member State law. However, businesses that prevail upon legitimate interest to store personal data for records retention purposes should keep in mind:
|- The legitimate interest in storing the data must be balanced against the individual's reasonable expectations and rights. A company's legitimate interest in continued processing of personal data can arise where the individual is an employee or client of the company. However, the company must demonstrate that its legitimate interest overrides the rights of the individual (GDPR, Article 69).
- The company must inform the individual, preferably in writing, that it has rejected the individual's request for erasure based on the company's legitimate interest in complying with U.S. records retention laws.
- If the company rejects a request for erasure based on its legitimate interest of complying with U.S. records retention laws, the company should retain the data for records retention only; and not use the data for marketing or any other purpose.
- Once the retention period requirement has expired, the personal data should be disposed of in a secure manner (assuming no other legitimate interest requires continued storage of the data). As a suggestion, the individual should receive notification that the company is now disposing of the personal data on the basis that the company has fulfilled the applicable records retention period requirement. That way, the individual will know the company has disposed of their personal data.
This premium content is locked for FC&S Coverage Interpretation Subscribers
Enjoy unlimited access to the trusted solution for successful interpretation and analyses of complex insurance policies.
- Quality content from industry experts with over 60 years insurance experience, combined
- Customizable alerts of changes in relevant policies and trends
- Search and navigate Q&As to find answers to your specific questions
- Filter by article, discussion, analysis and more to find the exact information you’re looking for
- Continually updated to bring you the latest reports, trending topics, and coverage analysis
Already have an account? Sign In Now
For enterprise-wide or corporate access, please contact our Sales Department at 1-800-543-0874 or email [email protected]