We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:

X

RISK IN CONTEXT

Cyber-Attacks Highlight Importance of Being Ready For the GDPR

Posted by Peter Johnson 15 December 2016

It seems that rarely a day goes by without a cyber-attack on a major company making the headlines. Recent publicity surrounding cyber-attacks, including data breaches at TalkTalk and Tesco, highlights the vulnerability of businesses to cyber security breaches and the potential consequences that can follow.

When the deadline arrives for companies to comply with the European Union General Data Protection Regulation (GDPR), the fines businesses could face as a result of such breaches are significant.

The GDPR will come into force in all EU member states from 25 May 2018, and businesses will be required to be compliant by that date. Although the UK has voted to leave the EU, the lengthy period of exit negotiations means that the GDPR will, at least temporarily, become law in the UK. With the expanded territorial scope of the GDPR, UK companies offering goods or services (even for free) to EU citizens or monitoring the behaviour of EU citizens, will also continue to be subject to the GDPR, regardless of the UK’s departure from the EU.

How Will It Affect You?

For individuals, the GDPR introduces enhanced rights and protections concerning the use of their data. For companies, it introduces new breach notification rules and significantly higher fines of 4% of global turnover or EUR20 million (whichever is greater) in the event of a data breach.

Your business should assess the implications of the GDPR and implement the required changes. When preparing for the GDPR, you should:

  • Know how it will impact your company: The broad territorial reach means GDPR will also impact companies located outside the EU.
  • Be aware of the increased fines: Do you know how much your company could be fined if it experiences a data breach?
  • Know what personal data your company holds and the lawful basis on which you rely when using and storing it. Keep in mind the more stringent consent requirements.
  • Have plans in place to respond to data breaches: Companies are required to notify the relevant supervisory authority of most data breaches within 72 hours of becoming aware of the breach. The GDPR also introduces mandatory notification to affected individuals where the breach is likely to result a high risk to those individuals.

It may seem as though there is plenty of time before the GDPR comes into force, but the new rules include obligations that may require your company to make operational and IT changes, which take time and require budget investment. With the likelihood of experiencing a cyber hack increasing and the potential for steep fines if personal data you hold is compromised, the risks associated with delaying preparations are too great to ignore.

Peter Johnson