On 25th May 2018 the European Commission will mandate the General Data Protection Regulation (GDPR) across the 28 member states of the EU
The new data protection regime has been designed to drag the EU into the digital age, and in turn, offer greater protection to citizen’s personal data allowing them the right to have it erased, corrected and object to profiling.
The new requirements will place increased responsibilities on organisations to ensure personal data is stored safely and processed correctly. Powers of the regulators will also in turn be heightened, with penalties for breaches increased dramatically and a compulsory requirement to notify of any breach within 72 hours to the regulators. Every organisation that holds, stores or processes data about EU citizens will have to comply.
For serious breaches, firms will have to pay up to 4% of their global annual turnover or €20m, whichever the greater. The larger fines under the new regime can be highlighted by the recent fine imposed on TalkTalk of £400,000. Under GDPR this could have been closer to £60m.
Businesses should be asking themselves how prepared they are for the new regulations in terms of their data breach response plan and also the personal data they already hold. One of the UK’s largest pub chains has recently deleted its entire mailing list because they are unsure whether each customer explicitly consented to receiving marketing emails.
GDPR and Insurance
The interest in cyber insurance over the last few years is timely. There are areas of GDPR breaches which are insurable but organisations are also utilising insurers experience in assisting with breach support services which are included in most cyber insurance policies that are on offer in the market. A good cyber policy will include IT, legal and PR assistance during and after a cyber-attack. The notification of a breach comes with significant costs to the organisation, not only must the firm notify regulators but also each individual that had personal data at risk. These costs quickly escalate and can be insured under a cyber insurance policy along with follow up credit and ID monitoring.
The liability exposure for GDPR breaches in the main will be directed towards the company that has incurred the breach. Any individual that suffers material or non-material damage as a result of the breach [including distress] will have the right to receive compensation. A robust cyber policy will cover the liability claim and the defence costs too.
In some instances a claim could also be guided towards the Directors of the organisation. Instances have already occurred in the US following cyber hacks of Target and Home Depot. This is a worrying trend which stresses the importance of ensuring that a directors & officers indemnity policy is also in place to cover defence costs against such litigation.
Worryingly 44% of businesses in a recent Crown Records Management survey didn’t think the regulation would apply to UK businesses after Brexit. Earlier this year it was confirmed by the Information Commissioners Office [ICO] that the UK data protection laws will still be aligned to the EU regardless of Brexit.
The rise of GDPR and the implications to an organisation should be high on the agenda for every layer of an organisation, large or small. Education is key to protection but the risks associated with cyber attacks and lack of security also need a robust defence should the protection fail. The financial consequences of a data breach alone will be able to cripple an organisation. Previously purchasers of cyber insurance would test the water with limits starting at £100,000 but we have observed new buyers starting out with programs of anything from £5m.
For more information please contact me on 020 3670 5005 or russell@vibl.co.uk
Russell Sessions
Founding Partner
Vizion Commercial