A new European Union (EU) regulation on Internet data privacy stands to impact U.S. individuals and companies. The General Data Protection Regulation (GDPR) regulation (Regulation (EU) 2016/679) is effective May 25, 2018, a replacement of the less stringent 1995 Data Protection Directive. The regulation intends to give individuals the right to control their own personal data (personally identifiable information), and provide them with easier access to their personal data, with clear and easily understandable information on processing so that individuals will be able to gain insight as to how their information is used. Under the GDPR, an individual can request that their personal data be erased once it is no longer needed for its original purpose, or if the person no longer consents to the processing of their personal data. Unless an exception applies, a company has just one month to erase all of the person's personal data wherever it is stored.

In addition, the GDPR requires that businesses report data breaches within 72 hours of discovery to regulatory authorities; and in high-risk scenarios, to follow this reporting by notifying the individuals whose data may have been compromised. Businesses will have an obligation to take security measures, regardless if there is a data breach. Violations of the GDPR are subject to potential fines of the higher of €20 million (almost $25 million U.S.), or 4% of the company's total annual revenue turnover of the preceding financial year. In addition, potential prosecution of the company's directors and officers for deliberately caused data breaches is possible. With the need to be proactive in implementing security measures and comply with data breach requirements, it will be important for businesses to consider the need for cyber liability insurance. For example, the ISO Commercial Cyber Insurance Policy provides coverage for security breach expenses, including fines or penalties imposed by law, the costs to investigate the breach, the costs to notify affected parties of the breach, and to provide post-event monitoring.

Under many U.S. laws and statutes, customer accounts and employee records must be maintained for specific time periods (some forever), subject to fines and penalties for violations. Some of these records retention laws conflict with the requirements of the GDPR.