The Impact of GDPR: EU data protection meets US-based business
Privacy regulations in the United States have nothing on those in the European Union (EU).
In fact, the newly minted General Data Protection Regulation (GDPR), which will take effect May 25, 2018, sets forth some of the most stringent privacy requirements in existence. The regulation unifies data protection within the EU and bolsters the rights of individuals.
Yet despite the focus being on consolidating the disparate data protection and privacy regulations of EU countries, the GDPR poses serious implications for US-based companies. The regulation imposes wide-reaching protection of the personal data of EU residents, which applies to the export of such data outside of the EU.
GDPR: The Genesis
Even before GDPR came into being, the European Parliament had enacted in 1995 the European Data Protection Directive, which created more uniform privacy guidelines among member states. The directive was implemented in October 1998, setting forth protections of individuals in terms of the use and processing of personal data, and on the free movement of the data.
However, the directive was not legally binding. Member states were charged with turning the directive into internal law within their own countries. As each country adopted its own version of the directive, laws became a patchwork of regulation that made it difficult to do business and meet all data protection compliance requirements per country.
In 2009, EU groups renewed the discussion data protection in a global economy, with countries once again considering how to protect data and privacy with the onset of information technology and cloud computing. At issue was the need for a consolidated, uniform framework addressing data and privacy, one that would close the loopholes that companies had exploited in order to circumvent the data privacy regulations.
One of the more notable changes that GDPR brings to data protection and privacy in the EU is Article 17: the right to erasure. Also known as the ‘right to be forgotten’, it places control of personal data on the individual. Individuals have the right to request that companies or entities holding their personal data delete all instances of said data. The law requires that companies complying with such requests do so “without undue delay” and have a process in place by which such requests can be fulfilled.
Importantly for US companies – GDPR defines personal data as ANY data that can be attributed to a living individual. This may include personal health information, IP addresses, racial and ethnic orientations, social and religious orientations, genetic and biometric data, photographs, even transaction histories.
While breach notification is required in all but two states, US businesses are ill-equipped for compliance with such a stringent regulation. The issues are myriad, and the fines for noncompliance are high – up to 4% of global parent annual turnover or 20 million euros, whichever is higher.
What are the challenges for businesses?:
- IT exposures: erasing every instance of an individual’s data can be difficult. Handwritten forms and records filed as ID numbers and not as names can make personal data harder to trace and remove.
- Resident status: GDPR protects the data of any person residing in the EU, even Americans living in an EU country. Regardless of where the data is being viewed or processed, GDPR applies. Companies selling products and services to EU-based customers must comply with GDPR.
- Legitimate use provisions: GDPR allows companies to use data only for the reasons in which it was collected. This means companies will be required to conduct ongoing reviews of records and make determinations about what to do with each data set. In many instances, many US companies may have never disclosed what the data would be used for. Therefore, notifying data subjects regarding how their data is being used will be a new process.
- Data transfer: Under previous regulation, businesses could simply transfer personal data to a country that doesn’t regulate it. Under GDPR, the regulation closes that loophole and extends protection to data that is transferred for whatever reason.
- Data use/viewing: GDPR applies to data that is being viewed or used in an EU country, even if the country of origin is outside the EU. Such use is considered data transfer under the GDPR, and would fall under the purview of the regulation.
- Data Protection Officer (DPO): Many companies will be required to hire or name a DPO to oversee their GDPR compliance program and respond to related requests and complaints.
- Risk assessment: In certain circumstances businesses will be required to ascertain the risks associated with processing personal data. If the risks are too high, it may prohibit them from processing the data.
" Companies should be building GDPR requirements into their incident response and business continuity plans."
While the regulation is clearly written to further protect individual data privacy, companies are not without some rights under GDPR. For instance, some instances allow for exceptions. The GDPR allows for companies to maintain records and even refuse requests from individuals if processing such data is necessary to comply with certain legal obligations, if archiving such information is in the public interest, or if deleting the information would impede the right of freedom of expression and information.
Is Cyber Insurance Good Enough?
For those instances that are not exempt under GDPR, risk mitigation is a must. Currently, many cyber insurance policies offer some type of coverage for regulatory migration.
While most current cyber policies provide coverage for costs to comply with regulatory investigations as well as any associated fines and penalties, coverage may need to be clarified to confirm that the policy extends to investigations launched by any entity that has the authority to enforce GDPR compliance. Further, the definition of Personally Identifiable Information may need to be modified to affirm coverage for information concerning an individual that would be considered “personal data” or “sensitive personal data” within the meaning of GDPR.
The first step to remaining compliant is to understand what’s required under GDPR. The regulation requires any US-based company doing business in the EU to have EU representation. That means businesses should be in contact with the supervisory authority in each country where the company does business.
Companies should also be building GDPR requirements into their incident response and business continuity plans. Any companies that haven’t started preparing for the GDPR may need to seek outside help to achieve compliance in order to meet the deadline.
One of the key changes companies can make to improve their compliance efforts is to change how data is handled. Simplify how personal identifiable information is housed – best practice would be to contain data to as few places as possible, making it easier to comply with erasure requests and data security requirements, among others.
As GDPR is enacted in 2018, US companies doing business within the EU will be facing challenging compliance requirements. In order to be reliably compliant with GDPR requirements, companies will need to make a significant shift in culture and awareness. Knowing what information is protected and devising storage and handling solutions that address all stored data can help prevent regulatory violations. With a comprehensive approach to compliance, US companies can continue to conduct business within the EU successfully.
Elissa Doroff is underwriting and product manager for XL Catlin’s Cyber and Technology business. Have questions about XL Catlin’s cyber insurance coverage; reach out to Elissa at firstname.lastname@example.org. Aaron Aaneson is Director of Cyber Security at Risk Consultancy S-RM. Have questions about how ready your business is for GDPR, contact Aaron at email@example.com