It’s been four years since the General Data Protection Regulation (GDPR) went into effect in May 2018, marking the start of one of the toughest privacy and security laws in the world. Although based in the European Union (EU), the data protection rules affect organizations worldwide.

GDPR compliance guidelines apply to any business or organization processing personal data of EU citizens—regardless of where the business or organization is established. Therefore, it’s critical for U.S. businesses to comply with the strict data privacy laws and GDPR insurance requirements.

For an idea of how seriously the EU takes these guidelines, consider that in 2021 alone, EU data protection authorities levied more than $1.2 billion in fines to companies worldwide for GDPR breaches — including Amazon and Facebook parent company Meta. From a U.S. business standpoint, the GDPR continues to make a robust data protection policy a legal requirement.

The Impact of a GDPR Violation

No company is exempt from the GDPR data protections, and even major corporations have been hit with penalties. Consider these recent cases:

• Twitter was fined $546,000 by Ireland’s Data Protection Commission for failing to comply with the GDPR requirement to report a breach within 72 hours in January 2019.
• Marriott Hotels was issued a fine of nearly $24 million by the UK’s privacy watchdog for a data breach that began in 2014 and was only discovered in 2018. Hackers were able to steal the personal information of more than 340 million people, leading to charges that the chain failed to protect private data as required by the GDPR.
• Clearview AI, a facial recognition firm, was fined more than $22 million by the UK’s Information Commission Office, and an additional $22 million from Italy’s data protection agency, for collecting personal images from social media users for their customers to use for comparison purposes. The images were collected without permission, and Clearview AI failed to notify people about how the images would be used, and to adequately protect the data.
• Google was fined $57 million by the French data protection agency for violating the GDPR rules outlining how user information is used, specifically pertaining to targeting advertising. As of 2021, this was the largest fine levied against a U.S. company.

Clearly, even large companies are not immune to the reach of the GDPR. And while $546,000 might only account for about 2% of Twitter’s overall revenues, for a small business, even that comparatively small amount could be devastating. That’s why it’s so important for all enterprises to have a thorough understanding of GDPR rules, how they apply to their business, and what a violation could mean to the bottom line.

Does Cyber Insurance Cover GDPR Fines?

If you think that carrying cyber insurance is an automatic solution for GDPR fines, you might be surprised to learn that isn’t always the case.

While many cyber insurance policies cover the fines and penalties associated with a data breach, a GDPR regulator will be the one to determine whether fines due to a GDPR violation are insurable. Based on GDPR insurance requirements, business owners could be on the hook for paying these fines out of pocket, which may be as high as 4% of a company’s annual income.

With that in mind, the real question businesses should be asking themselves is “What are we doing to ensure GDPR compliance?”

GDPR Compliance for U.S. Businesses

Although the GDPR is designed to protect EU data subjects, enforcement is global. That means that GDPR compliance guidelines apply to businesses that process personal data for EU residents — for example, an American hotel that collects personal and payment information from guests visiting from the EU.

Understanding the protections put in place by the GDPR can help U.S. businesses comply. The document is enormous, but many of the regulations are reasonable.

For example, the GDPR governs:

• How long a company can hold on to a data subject’s information
• How the accuracy of data is ensured
• The transparency of data handling
• Requirements regarding consent to collect and use data, including the requirement that consent only covers explicit purposes

Three Steps Businesses Can Take to Ensure GDPR Compliance

Every business can take steps to ensure they are not leaving themselves or their customer information vulnerable. The steps below don’t constitute a comprehensive list, but they’re a good place to start.

1. Take an honest look at data protection.

Is their business taking data protection and cyber risk management seriously?

2. Consider updating software, technology, and data handling practices.

This could mean adding data encryption, using multi-factor authentication, or reviewing and rewriting the organization’s data practices entirely to ensure there are no gaps in data handling.

3. Review how consent to use personal information is granted.

Business owners should ensure that they’re only using information for the explicit purpose for which it was provided, and that they don’t hold onto information any longer than is necessary.

Protecting Your Clients: Complying With GDPR Insurance Requirements

The requirements that companies use data lawfully will continue to grow as individual states and countries develop their own regulations. If your clients weren’t thinking about the GDPR insurance requirements before, they should be now. Though questions about coverage and insurance remain, the question about compliance has been decided.

For more information on protecting your clients, download our Cyber Risk Management 101 infographic to better educate your clients about cyber exposures and cyber insurance coverage in five simple steps.