European lawmakers decided to updateand harmonize the region's data protection laws as a response tothe challenges of the 21st century triggered by new technologies,new business models and new cyber risks. (Photo:Shutterstock)
Starting in late May 2018, the long-awaited General DataProtection Regulation (GDPR) will apply across the European Union,representing the biggest shake-up of data protection laws in thedigital age.
|With GDPR implementation now just weeks away, what canbusinesses expect and how should they prepare?
|The processing and protection of personal data has become a hottopic in recent years as more personal data is created and managedthrough the digitization of everything from shopping tohealth care, not to mention the emergence of mobile apps andsocial media.
|Data management risks
According to a 2017 Ponemon Institute study, there are 24,000records in an average data breach, at an average cost of $141 perrecord.
|The average data breach cost to a company is$3.62 million, and there is a 27.7% likelihood of a recurringmaterial data breach over the next two years.
|Consider the data breach at credit monitoring firm Equifax, whichpotentially affected 145 million people, along with the recentlydisclosed breach at Uber, which may have exposed the accounts of 57million customers.
|European lawmakers decided to update and harmonize the region'sdata protection laws as a response to the challenges of the21st century triggered by new technologies, new businessmodels and new cyber risks. The General Data ProtectionRegulation (GDPR) will replace the EU's existingguideline enacted in 1995.
|GDPR 101
GDPR is a set of rules and requirements aimed at protectingpersonal data held by businesses and other organizations.
|Currently, data protection laws vary by country, but theGDPR will harmonize privacy rules across all 28 EU countries.
|The new rules strengthen the role and powers of dataauthorities, affirm additional rights to data subjects(principally, every individual), enhance potential fines andsanctions and define additional requirements for organizations toprotect personal data.
|Related: 5 big cybersecurity lessons to learn from theEquifax data breach
|These requirements include but are not limited to implementingcertain policies and processes, developing an effective internaldata protection management system and appointing a data protectionofficer.
|The GDPR protects the personal identifiable information ofindividuals with permanent residence in the EU, but it will alsohave legal reference for European Economic Area (EEA)countries.
|Basically, only information of natural persons is in scope andcorporate data is out of scope.
|Any company that controls personal data or processes personaldata by itself or on behalf of another company must comply with theGDPR, even if the company is based outside the EU. The GDPR is notlinked to an EU passport and does not apply for EU nationals withpermanent residence outside of the EU.
|Small-to-medium-sized enterprises (SMEs) are also subject to theGDPR. The GDPR may grant some flexibility to smaller companies, butin general the GDPR pays no special attention to a company'ssize.
|Many GDPR requirements to protect personal data already existunder national laws, but the GDPR sets a new tone and improves theprinciples of processing personal data, the accountability andobligations of legal entities, the data subject's access requestsand regulatory oversight power. The GDPR is more an evolution toexisting EU data protection laws than a revolution.
|In addition to the extended extra-territorial scope, the GDPRalso significantly increases the possibility of higher fines andsanctions to non-compliant companies. It contains a catalogof different breaches with maximum limits.
|Businesses will be much more challenged to understand their riskexposure and their data protection management will be in thespotlight. Data protection will be a top risk for companies,especially considering the potential reputational risks they faceas a consequence of data breaches or poor handling of personaldata.
|GDPR challenges
There are many challenging issues from an organizational andtechnical perspective.
|Chief among them is the timeline for implementation, which isambitious and difficult to meet, especially because manyrequirements will not be sufficiently defined by the GDPR itself orthe authorities until May 2018.
|The most prominent and complex new change is the data subject's"right to be forgotten." This means an individual can request thata company erases their respective personal data.
|Companies will need to put processes in place to locate the dataand comply with these requests, although deleting a single datarecord that may have been copied to numerous databases, aggregated,or shared with a third party may not be simple.
|Another major challenge of GDPR compliance is the new requirement tonotify authorities of a data breach within 72 hours of itsoccurrence. This has implications for risk management.
|Companies will need to put adequate processes and systems inplace to identify what data is affected and to improve internalcollaboration before informing the regulator. Consecutive breacheswill result in higher penalties and stricter regulatorymonitoring.
|GDPR enforcement
While the regulatory response to a data breach may differ betweencountries, generally we would expect to see more and larger finesfor data breaches under the GDPR.
|The new rules give authorities the ability to levy fines of upto 4% of a company's global revenues (at the group level not justthe single legal entity level) and a personal liability of up to 20million euros. This would be far higher than the current maximumfines of 500,000 pounds, or roughly $707,300, in the United Kingdomand 300,000 euros, or $710,000, in Germany.
|Authorities in individual EU countries will be responsible forenforcing the GDPR in each member state, meaning that some couldtake a more aggressive stance than others, for example when itcomes to fines.
|Related: 3 takeaways from the 2017 Cost of Data BreachStudy
|Additionally, the European Data Protection Board will mediateconflicts between national authorities and issue guidelines ondispute findings with more or less binding effect. Data subjects,companies or regulators can seek a final decision in matters ofdispute with the European Court of Justice.
|How ready are businesses for GDPR?
GDPR readiness depends on the individual business and itssize.
|A number of EU countries and certain sectors, such astelecommunications and financial institutions, are already subjectto higher levels of data protection regulation.
|More generally, most companies are on their way to compliancebut aren't there yet. Many do not yet have the systems andprocesses in place to handle the "right to be forgotten"requirement. Others are not prepared for making sure their legacydata is compliant.
|If a company realizes it will not be compliant by May 2018, itshould reach out to authorities and engage in a dialogue ahead oftime, rather than hide and hope nothing happens.
|The GDPR does not establish any grace period, so each case wouldbe individually assessed by the respective authority.
|Counting down to GDPR enactment
Companies of all sizes need to get a clear understanding of thepersonal data they are processing: how much, what information,where it is stored and with whom it is shared.
|If the company determines that its data processing activitywould pose a "high risk" to the GDPR requirements and the "rightsand freedoms" of individuals, they would also need to conduct anddocument a detailed data privacy impact assessment, keeping in mindthat it is the domicile of the data subject, not the company, thatgenerally determines who is in scope of the GDPR.
|Related: 6 ways cybersecurity changed in2017
|The recent Paradise Papers data breach, which included personaldata of EU resident clients of an offshore law firm, would havebeen covered under the GDPR.
|Being well prepared for a data breach will help reduce thereputational impact as well as the business interruption. Pastexperience has shown that the way in which an organization managesa breach has a direct impact on the cost, and this will become evenmore the case under the GDPR.
|Authorities are more likely to penalize companies that are notwell prepared and do not handle breaches according to bestpractices.
|The risk manager's role in GDPRpreparations
It has taken time for companies to realize the extent of theexposure, but now we see that the risk management function ishighly involved in an organization's GDPR projects.
|However, risk management should keep data privacy on the riskagenda even after "readiness" projects are concluded.
|Related: 6 common misconceptions aboutcybersecurity
|The GDPR also requires "privacy by design" and "privacy bydefault" to encourage data protection from the earliest stage ofany project or initiative. A robust privacy check early in thebeginning of every project or new process will become a mandatoryinternal requirement. Since the GDPR is not a one-offimplementation, it will require a continuous risk approach.
|Cyber insurance can help with aspects ofcompliance. Insurance, for example, often includes consultingand incident planning services, as well as breach responseservices. If a company suffers a breach it will need access toexpertise, such as specialist lawyers, IT forensics and crisismanagement consultants.
|Insurance provides instant access to these experts and helpsdemonstrate to authorities that a company has taken immediate andappropriate steps to reduce the impact of a data breach, as well asto meet regulatory requirements and deadlines.
|GDPR's impact
A common saying in the field is, 'You can have security withoutprivacy but you cannot have privacy without security.' Ifcompanies approach GDPR requirements with due diligence, they arebound to augment cyber security through process refinement,increased awareness and often a growth in the security budget inorder to deploy additional security measures.
|The GDPR is expected to support uptake of cyber insurance. Butultimately it will be up to individual companies to decide how tobest allocate their risk management and security budgets.
|Emy R. Donavan is global head of the Cyber & Tech PIdivision at Allianz Global Corporate & Specialty. She can bereached by sending email to [email protected].
|See also:
||Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- All PropertyCasualty360.com news coverage, best practices, and in-depth analysis.
- Educational webcasts, resources from industry leaders, and informative newsletters.
- Other award-winning websites including BenefitsPRO.com and ThinkAdvisor.com.
Already have an account? Sign In
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
