What is GDPR?
When the General Data Protection Regulation (GDPR) goes into effect on May 25th, significant new obligations will be placed on companies doing business in the EU or with European citizens. Adopted in 2016 after a lengthy debate among EU member companies, GDPR goes far beyond the data breach notification requirements that we are familiar with in the US. In addition, it places restrictions on how companies collect and manage data, requiring that consumers have the ability to access, correct, and delete private information.
Though this policy is primarily aimed at EU citizens it also covers those who are in possession of EU-based personal data. Its focus is to ensure that consumers have rights such as:
- The right to erasure
- The right to restriction
- The right to object
- Information notices
In the wake of the Cambridge Analytica and Facebook data collection scandals, there’s a lot of confusion, concern, and admittedly, some hysteria surrounding about the impact of GDPR on businesses and how it will affect American businesses.
At the end of the day, the conversation surrounding GDPR is expressed best by Jason Kint, CEO of Digital Content Next.
“Consumers expect their data to be used within the context it was collected or by entities with whom they have a relationship, but they don’t expect their data to be set out like a buffet at the Golden Corral, where anyone can walk in off the street and help themselves.”
What Constitutes Personal Data?
The GDPR classifies personal data as anything that can be used as part of identification. Beyond the obvious name, phone number, and addresses, this also includes:
- Bank information
- Any numbers pertaining to financial accounts
- Medical information
- Information (such as names) associated with social media posts
Some of these are more direct than others and to that extent, whether or not there is a “breach” could be more difficult to figure out. Personal data also includes digital identifiers like IP and MAC addresses and cookies used for analytics, advertising, and chat tools.
How does it impact American businesses?
If you’re a US company with no direct business in the European Union, you may believe that you’re in the clear. However, according to this article from Forbes magazine, that may not be the case.
While the physical location of your office is firmly rooted in the US, your website has a potential geographic scope beyond domestic borders.
“Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR.” (Source: Forbes)
What does this mean? This means that any data collected from a user on your site while the user is in the EU is subject to EU regulations. Furthermore, these regulations are not limited to financial transactions only.
Any time that you collect personally identifiable information, you are responsible for protecting the data in accordance with the rules and regulations of the country or province in which the user is located at the time the data is collected.
What are the potential penalties?
Perhaps the most alarming aspect of GDPR is the potential for significant financial consequences. Companies found to be in violation of the regulation can face fines of up to 4% of their total global revenue.
How do I avoid risks, liabilities, and fines?
The short answer, using the specific language in the GDPR is consent “freely given, specific, informed, and unambiguous.” By the way, this covers a multitude of other potential risks and liabilities in your business.
This is one of the fundamental aspects of GDPR. To that end, the law prohibits companies from using “long illegible terms and conditions full of legalese,” instead requiring “an intelligible and easily accessible form” that states the reason for data collection clearly and makes it “as easy to withdraw consent as it is to give it.”
For instance, let’s say you have a landing page on your website where users can request a free quote on a product or service in exchange for some details about them. Clearly explaining how you plan to use their personal data and why you need to use their data along with the removal of any default opt-in fields should help you steer clear of most issues.
The following questions you’ll want to have documented for your business:
- how does your business collect data?
- how does your business store data and for how long?
- where does your business store data and who has access to it?
- what does your business use the data for?
So… am I covered?
The good news is that there are many aspects of GDPR that should be covered by a solid cyber insurance policy. It should be expected, however, there are also some big unknowns when it comes to GDPR and cyber liability coverage.
Cyber insurance policies have long been proactive in offering coverage for fines and penalties associated with violations of privacy laws.
- Who is a privacy regulator? Many cyber policies include “international” or “foreign” entities in the list of potential privacy regulatory bodies. Often, cyber insurers will specifically add European Data Protection Authorities (DPAs) by endorsement to make the policy sound GDPR-savvy, but in most policies, this is not a material change.
- Privacy breach vs. Privacy violations. One important nuance is that the definition of “privacy law” in cyber policies is generally limited to laws regulating privacy breaches. GDPR will impose rules around a much broader set of privacy issues, including how data is stored, managed, and accessed. Insurers are now willing to expand coverage to include claims related to these exposures. This extension is often referred to as “wrongful collection” coverage, but should also include allegations of improper storage and handling of data.
- Most favorable venue wording for fines and penalties. Commonly found in D&O and EPL policies where coverage for punitive damages is available, a “most favorable venue” provision reinforces the insurer’s intent to pay a fine whenever possible. Such provisions usually state that the insurer will take into consideration all reasonable venues to determine the insurability of a fine or penalty, such as where the company is located, headquartered, or incorporated, or where the claim or event occurred. Cyber policies do not consistently include this language, but insurers are increasingly willing to add by endorsement.
Speak with us today about GDPR and cyber liability coverage!
With the deadline for GDPR looming, it’s important that your business remains ahead of the curve to avoid any potential risks or claims that could negatively affect your business. Start with a GDPR and cyber liability coverage consultation today by completing the form below or giving us a call at (732) 566-0003.