Learn How and Why the GDPR Affects Your Clients’ Businesses Outside of the European Union
The General Data Protection Regulation (GDPR) went into effect in May 2018 as one of the toughest privacy and security laws in the world. This regulation protects consumer personal data, and while it is based in the European Union (EU), it affects organizations worldwide.
GDPR compliance guidelines apply to any business or organization processing personal data of EU citizens—regardless of where the business or organization is established.
Today, businesses in the U.S. need to ensure they’re familiar and compliant with these data privacy laws and the GDPR insurance requirements. In many ways, it is now a legal requirement to have a data protection policy in place.
Does Cyber Insurance Cover GDPR Fines?
While many cyber insurance policies provide comprehensive coverage for fines and penalties associated with a data breach, a GDPR regulator will be the one to determine whether fines are insurable or not. Based on GDPR insurance requirements, this could mean business owners may have to pay these fines out of pocket—and regulators can fine as much as four percent of a company’s annual income.
These regulatory fines penalize the at-fault company’s actions, whether they’re negligent or intentional, for non-compliance. As the GDPR risk can be extensive, business owners must plan accordingly with their finances should they face these fines. Further, it’s important to review any insurance coverage closely to see what options are available, should data protection authorities come knocking.
With that in mind, the real question businesses should be asking themselves; What are we doing to ensure compliance?
GDPR Compliance for U.S. Businesses
Even though this new data regulation came from the EU and only protects EU data subjects, enforcement is global, meaning many United States businesses may still be on the hook.
The GDPR compliance guidelines only apply to businesses that are processing personal data for EU residents. For example, an American hotel may process information for EU guests.
Let’s look at some of the protections put in place by the GDPR and how U.S. business owners can ensure GDPR compliance.
A Brief Look at an Important Regulation
The protections put in place impact multiple data elements, from the amount of time a business should hold on to a data subject’s information to ensuring the data is accurate and handled fairly and transparently.
The document is enormous, but many of the regulations are reasonable.
For example, the “Lawfulness of Processing” section outlines that it’s only lawful to process information if the data subject has given consent to process personal data for that specific purpose. That could be consent given by checking a dialogue box on a web page, through a contractual arrangement, a legal obligation, etc. However, the consent for processing that personal information only covers the purpose explicitly stated.
Keep in mind that “processing” refers to, as noted in this CHUBB GDPR report, any company that is “hired under specific written instructions to collect, organize or otherwise manipulate the data.”
Three Steps to Take to Ensure GDPR Compliance
Every business can take steps to ensure they are not leaving themselves or their customer information vulnerable. The steps below don’t constitute a comprehensive list, but they’re a good place to start.
1. Take an honest look at data protection.
Is their business taking data protection and cyber risk management seriously?
2. Consider updating software, technology, and data handling practices.
This could mean adding data encryption, using multi-factor authentication, or reviewing and rewriting the organization’s data practices entirely to ensure there are no gaps in data handling.
The security measures taken should be appropriate to the risk involved, and the risk levels of a small business and large corporation are different. Therefore, their security burdens to the GDPR will look different.
3. Review how consent to use personal information is granted.
Business owners should ensure that they’re only using information for that explicit purpose, and they don’t hold onto that information any longer than is necessary.
The Jump from EU’s GDPR to the United States
In November 2018, the California Consumer Privacy Act (CCPA) was passed and began going into effect in 2020. This rule entitles any California consumer to see the information a company has saved about them, including information shared with third parties.
Protecting Your Clients: Complying With GDPR Insurance Requirements
The requirements that companies use data lawfully will continue to grow as more states and countries come on board with their own regulations. If your clients weren’t thinking about the GDPR insurance requirements before, they should be now.
Though questions about coverage and insurance remain, the question about compliance has been decided.
For more information on protecting your clients, download Cyber Risk Management 101 to better educate your clients on cyber exposures and cyber insurance coverage in five simple steps.