Product Family


XL Catlin

Privacy regulations in the United States have nothing on those in the European Union (EU).

In fact, the newly minted General Data Protection Regulation (GDPR), which will take effect May 25, 2018, sets forth some of the most stringent privacy requirements in existence. The regulation unifies data protection within the EU and bolsters the rights of individuals.

Yet despite the focus being on consolidating the disparate data protection and privacy regulations of EU countries, the GDPR poses serious implications for US-based companies. The regulation imposes wide-reaching protection of the personal data of EU residents, which applies to the export of such data outside of the EU.

GDPR: The Genesis


Even before GDPR came into being, the European Parliament had enacted in 1995 the European Data Protection Directive, which created more uniform privacy guidelines among member states. The directive was implemented in October 1998, setting forth protections of individuals in terms of the use and processing of personal data, and on the free movement of the data.


However, the directive was not legally binding. Member states were charged with turning the directive into internal law within their own countries. As each country adopted its own version of the directive, laws became a patchwork of regulation that made it difficult to do business and meet all data protection compliance requirements per country.


In 2009, EU groups renewed the discussion data protection in a global economy, with countries once again considering how to protect data and privacy with the onset of information technology and cloud computing. At issue was the need for a consolidated, uniform framework addressing data and privacy, one that would close the loopholes that companies had exploited in order to circumvent the data privacy regulations.

One of the more notable changes that GDPR brings to data protection and privacy in the EU is Article 17: the right to erasure. Also known as the ‘right to be forgotten’, it places control of personal data on the individual. Individuals have the right to request that companies or entities holding their personal data delete all instances of said data. The law requires that companies complying with such requests do so “without undue delay” and have a process in place by which such requests can be fulfilled.

Importantly for US companies – GDPR defines personal data as ANY data that can be attributed to a living individual. This may include personal health information, IP addresses, racial and ethnic orientations, social and religious orientations, genetic and biometric data, photographs, even transaction histories.

The Impact


While breach notification is required in all but two states, US businesses are ill-equipped for compliance with such a stringent regulation. The issues are myriad, and the fines for noncompliance are high – up to 4% of global parent annual turnover or 20 million euros, whichever is higher.

What are the challenges for businesses?:

  • IT exposures: erasing every instance of an individual’s data can be difficult. Handwritten forms and records filed as ID numbers and not as names can make personal data harder to trace and remove.
  • Resident status: GDPR protects the data of any person residing in the EU, even Americans living in an EU country. Regardless of where the data is being viewed or processed, GDPR applies. Companies selling products and services to EU-based customers must comply with GDPR.
  • Legitimate use provisions: GDPR allows companies to use data only for the reasons in which it was collected. This means companies will be required to conduct ongoing reviews of records and make determinations about what to do with each data set.  In many instances, many US companies may have never disclosed what the data would be used for.  Therefore, notifying data subjects regarding how their data is being used will be a new process.
  • Data transfer: Under previous regulation, businesses could simply transfer personal data to a country that doesn’t regulate it. Under GDPR, the regulation closes that loophole and extends protection to data that is transferred for whatever reason.
  • Data use/viewing: GDPR applies to data that is being viewed or used in an EU country, even if the country of origin is outside the EU. Such use is considered data transfer under the GDPR, and would fall under the purview of the regulation.
  • Data Protection Officer (DPO): Many companies will be required to hire or name a DPO to oversee their GDPR compliance program and respond to related requests and complaints.
  • Risk assessment: In certain circumstances businesses will be required to ascertain the risks associated with processing personal data. If the risks are too high, it may prohibit them from processing the data.

Companies should be building GDPR requirements into their incident response and business continuity plans.

While the regulation is clearly written to further protect individual data privacy, companies are not without some rights under GDPR. For instance, some instances allow for exceptions. The GDPR allows for companies to maintain records and even refuse requests from individuals if processing such data is necessary to comply with certain legal obligations, if archiving such information is in the public interest, or if deleting the information would impede the right of freedom of expression and information.

Is Cyber Insurance Good Enough?

For those instances that are not exempt under GDPR, risk mitigation is a must. Currently, many cyber insurance policies offer some type of coverage for regulatory migration.

While most current cyber policies provide coverage for costs to comply with regulatory investigations as well as any associated fines and penalties, coverage may need to be clarified to confirm that the policy extends to investigations launched by any entity that has the authority to enforce GDPR compliance.  Further, the definition of Personally Identifiable Information may need to be modified to affirm coverage for information concerning an individual that would be considered “personal data” or “sensitive personal data” within the meaning of GDPR.

Maintaining Compliance


The first step to remaining compliant is to understand what’s required under GDPR. The regulation requires any US-based company doing business in the EU to have EU representation. That means businesses should be in contact with the supervisory authority in each country where the company does business.

Companies should also be building GDPR requirements into their incident response and business continuity plans. Any companies that haven’t started preparing for the GDPR may need to seek outside help to achieve compliance in order to meet the deadline.

One of the key changes companies can make to improve their compliance efforts is to change how data is handled. Simplify how personal identifiable information is housed – best practice would be to contain data to as few places as possible, making it easier to comply with erasure requests and data security requirements, among others.

As GDPR is enacted in 2018, US companies doing business within the EU will be facing challenging compliance requirements. In order to be reliably compliant with GDPR requirements, companies will need to make a significant shift in culture and awareness. Knowing what information is protected and devising storage and handling solutions that address all stored data can help prevent regulatory violations. With a comprehensive approach to compliance, US companies can continue to conduct business within the EU successfully.


Elissa Doroff is underwriting and product manager for XL Catlin’s Cyber and Technology business. Have questions about XL Catlin’s cyber insurance coverage; reach out to Elissa at  Aaron Aaneson is Director of Cyber Security at Risk Consultancy S-RM.  Have questions about how ready your business is for GDPR, contact Aaron at

To contact the author of this story, please complete the below form

Invalid First Name
Invalid Last Name
Country is required
Invalid email
Invalid Captcha

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. In this respect, our property loss prevention publications, services, and surveys do not address life safety or third party liability issues. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. The provision of any service does not imply that every possible hazard has been identified at a facility or that no other hazards exist. AXA XL Risk Consulting does not assume, and shall have no liability for the control, correction, continuation or modification of any existing conditions or operations. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any document or other communication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with our services, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.