General Data Protection Regulation

After over three years of discussion at many levels, the new EU data protection framework has finally been agreed. It takes the form of a Regulation - the General Data Protection Regulation.

The GDPR will replace the current Directive and will be directly applicable in all Member States without the need for implementing national legislation. It will not come into force immediately (this is likely to be in the first half of 2018). However, as it contains some onerous obligations, it will have an immediate impact.

The General Data Protection Regulation (GDPR) is a milestone in EU data protection law. Until now, each member state had its own rules. The GDPR unifies the law across the EU. It also significantly expands the obligations of companies that process individuals' personal data - which will impact upon SME businesses along with larger organisations.

The GDPR will come into force in mid-2018[1], but companies need to start making changes now if they want to be ready to meet their new obligation and avoid potentially crippling new fines for getting things wrong.

Many businesses will be looking for support during the preparation process and beyond.

Rules and practicalities

While the text of the GDPR is vast, it's helpful to focus on three key points:

    Accountability.

    • Under the GDPR, companies are responsible for building data protection and privacy into their organisational design. Procedures, staff training, IT services - all of these must be up to standard. Any data processing they carry out must be lawful and justified

    Notification. 

    • As authorities are well aware, some large companies currently make the commercial decision not to report cybercrime[2]. While, previously, companies could sweep data protection breaches quietly under the rug, the GDPR obliges companies to notify the authorities of all breaches that put individuals at risk (where feasible, within 72 hours[3]). In high risk cases, they'll also need to notify the individuals whose data has been hacked. 

    Consent.

    • The GDPR lays out more stringent requirements on getting properly informed consent for the use of data - particularly surrounding data being moved outside the EU.

    In a practical sense, this means companies should be reviewing all of their policies for data protection in preparation for 2018. The regulation will require many to appoint expert data officers, and to carry out risk and impact assessments of all data processing. They will also have to prepare procedures for reporting, so that they can keep within the 72-hour limit in case of a breach.

    Penalties for non-compliance

    And now we come to the looming threat for companies - the penalties. Of course, the penalty will depend on the nature and effect of the offence or breach. The rules set out two tiers of fines according to the seriousness of the infringement. The figure that has boardrooms sitting up and taking notice is the maximum penalty allowed: 4% of global turnover. That's a potentially crippling blow to a company.

    Things that could trigger fines for businesses of up to €20million (£15.7m) - or a penalty of that business's 4% total worldwide turnover for the previous year (whichever is the higher) include breaches of:

    • the basic principles for processing data - including conditions for consent;
    • international transfers; and
    • not complying with orders imposed by the supervisory authorities.

    The lower 2% of teir turnover or €10million (whichever is higher) can be imposed on businesses if they do not fulfil the obligations set out in the regulations on a range of measures, including[4]:

    • maintaining written records;
    • reporting breaches when required by the GSPR to do so;
    • implementing technical and organisational measures to ensure data protection by design and default;
    • conducting impact privacy impact assessments;
    • appointing data protection officers where appropriate; and
    • subcontracting correctly and with the right authority;

    Implications for cyber insurance 

    Obviously, the GDPR is a game-changer for companies that process data - and it's likely to have some equally extreme impacts on the cyber insurance industry.

    Increased interest in protection. Because of the potential fines under the GDPR, cybercrime can no longer be considered as an acceptable 'running cost' of business. Companies will need protection. This should lead to greatly increased interest in cyber insurance, and a corresponding surge in the market.

    Increased awareness.

    Since cyber attacks must be reported under the GDPR, we can expect some disturbing statistics to be published in the next few years. Companies that have not yet experienced serious attacks, and do not pay much attention to the risk, will be given a sharp wake-up call when they see the true prevalence of data breaches.

    Potential for better risk calculation. Currently a limited number of insurers have dipped their toe into the waters of cyber insurance. The GDPR's reporting obligation will make it much easier to estimate the occurrence and risk of cybercrime, making it a less murky prospect for insurers. Because of this, there is likely to be a wider cyber insurance offering. Insurers already offering cyber insurance will be able to offer better value by singling out lower risk companies.

    Help from insurers to reduce risks. The insurers working in this field could look to help their clients with risk management and risk reduction to prevent potential breaches and improve their client's systems. The help available from different insurers could also help differentiate between providers.

    This is a huge opportunity for insurance companies and brokers to gain a footing in an expanding market. The goal must be to offer companies support as they prepare for the challenges the GDPR lays out.

    1]https://www.europarl.europa.eu/news/en/news-room/20160407IPR21776/Data-protection-reform-Parliament-approves-new-rules-fit-for-the-digital-era (assuming the GDPR is soon to be published in the EU journal) [2]https://www.london.gov.uk/sites/default/files/gla_migrate_files_destination/Tightening%20the%20net_0.pdf 2.6, 3.15, etc. [3]https://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf P53

    [4] We haven't included every single example but key ones for businesses.

    GDPR Checklist

    This table is designed to give an illustrative overview of the requirements likely to impact most types of businesses and the practical steps that organisations need to take to meet those requirements. 

    It can be used to gain an understanding of where an organisation has gaps in its compliance and to articulate how its control programme will meet the requirements. 

    It should be noted that certain parts of the GDPR (such as exceptions to the data subject rights) will be supplemented by Member State local legislation and guidance from local data protection authorities, which will be renamed Supervisory Authorities, and the Article 29 Working Party, which will become the European Data Protection Board under the GDPR. 

    Enforcement of the GDPR is coming soon, and organisations need to be ready.

    Early planning is essential. Enforcement of the GDPR starts on 25 May 2018. Organisations will find it very difficult to bring their business operations into compliance with the GDPR by this date unless they take its requirements seriously, and commit sufficient time and resources to satisfying those requirements. Because the GDPR affects almost all of the ways in which an organisation processes personal data, the scale of this task should not be underestimated.


    Bird & Bird& guide to the GDPR

    This guide seeks to summarise the key changes that the new law will bring and to highlight the most important actions which organisations should take in preparing to comply with it.  

    Global Guide to Data Breach Notifications

    Please note that this guide provides general information only. Its purpose is to provide a brief overview of legislation governing data breach notification requirements in each jurisdiction covered. This information is not comprehensive and is not intended or offered as professional or legal advice, generally or in a given situation. This guide is an outline of country-specific obligations, which may change. Facts and issues vary by case. Legal counsel and advice should routinely be obtained, including locally for any particular jurisdiction. Please consult your own counsel. This publication may constitute "Attorney Advertising" in some countries or jurisdictions.