Tougher New European Data Protection Law to Have Lasting Effects
Data protection laws in Europe just got a lot tougher. The European Parliament’s recent approval of the new General Data Protection Regulation (GDPR) — a landmark law four years in the making — significantly expands privacy regulations for corporations, including potentially drastic fines for companies violating the law.
The new GDPR becomes effective in 2018 and can affect any company handling European personal data inside or outside Europe. The GDPR applies to more data processing activities and organizations than existing regulations. It:
- Strengthens and expands individuals’ personal information rights.
- Expands the territorial scope and application of EU privacy law.
- Increases organizations’ compliance obligations.
- Expands regulators’ enforcement and sanction powers, fines of EUR20 million or 4% of a company’s global revenue, whichever is greater.
- Introduces new data breach notification rules.
Impacts on Your Business
To accommodate the GDPR’s expanded privacy rights obligations for the processing of personal information, companies will need to:
- Provide greater transparency and notice about why individuals’ personal information is used or processed.
- Obtain proof of consent to such processing by “clear affirmative action” of individuals.
- Create ways to allow individuals to exercise their “right to be forgotten” and data portability.
- Conduct privacy impact assessments, appoint data protection officers, and develop local capabilities for responding to data breaches.
- Demonstrate compliance with the GDPR through documented controls and audits.
Call to Action
While some have asked about potential protection from the pending EU-US Privacy Shield agreement, which is currently being negotiated as a successor to “Safe Harbor” regulations, there is no expectation that any future agreement would exempt or protect US companies from compliance with the GDPR. The good news is that if your company handles European personal information, you have two years to prepare.
Nonetheless, it’s still a good idea to:
- Review the GDPR’s impact on your products and services.
- Alert senior leaders of the coming changes and how the law may affect your operations.
- Review the effectiveness of your current data protection framework and identify changes necessary to comply with the GDPR.
- Identify resource or capabilities gaps, and start budgeting to close them.
- Reassess your ability to handle future data breach notifications in the EU.
- Consider ways to manage your exposure to data breach expenses and regulatory fines, including by purchasing cyber insurance.
Organizations — including regulators — must recognize that growing cyber risks cannot be resolved solely through better technology. Regulations like the GDPR reflect the growing consensus that organizations must manage cyber threats as a risk issue. Good cyber risk management, which requires working with your insurance advisor, includes assessing exposures to the GDPR, investing in protections and risk transfer, and building your capabilities to respond to cyber threats and better protect your organization.