CYBER UPDATE: General Data Protection Regulation (GDPR)
Cyber, Property & Casualty
Derek Laczniak
Senior Client ExecutivePartner
General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. Any organization doing business in the European Union (EU) or with European citizens must comply with the new requirements. European countries have always set data security standards for U.S. organizations doing business within their boundaries. Notably, the 1998 Data Protection Directive set rules for the use of data. The GDPR align with such proactive European initiatives.
Impacted organizations need to be aware of critical changes THE GDPR will bring, including:
- A single set of rules across all 28 EU member states. The EU has traditionally relied on individual country legislation, similar to the U.S. where state law predominately oversees data security.
- The rules apply to any company providing services to EU citizens. Previously, only companies domiciled within EU countries had to comply with data security legislation.
- Citizens must explicitly provide permission to have information collected and processed by organizations. In the past, consent could be assumed.
- Regulators are allowed to levy fines of up to 4% of an organization’s global revenue. Some individual countries have laws allowing penalties as high as 10%, although individual EU states do not have historically high instances of fining for data security law violations.
- GDPR extends beyond data breaches, dictating how organizations manage and store their data as well as how they build out their organizations data security plan and train personnel.
Cyber Liability Considerations
- Local Cyber Liability insurance policies are not necessary, most Cyber Liability policies provide global coverage.
- Insurance amount should be matched with EU exposure and in some cases increased.
- Most of the fines and penalties included in GDPR are insurable, but remember, the policy has to be triggered. In many cases, policy triggers happen through a breach or unauthorized access to personal information.