In the wake of the implementation of the European Union’s General Data Protection Regulation (GDPR), businesses worldwide are developing policies and processes to address compliance. Organizations might also consider asking: Can insurance help my U.S. business avoid the risks associated with this new regulation?
GDPR “regulates the processing by an individual, a company or an organization of personal data relating to individuals in the E.U.” The GDPR definition of personal data encompasses the U.S. definitions of personally identifiable information (PII) and includes “personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person.”
GDPR grants new rights to individuals regarding their personal data, including the right to request their personal data held by an organization and to request that their personal data be erased. The regulation requires “data protection by design,” meaning organizations are required to demonstrate that technical, procedural, and operational steps are taken to protect the privacy of personal data collected.
Why should a U.S.-based business be concerned?
GDPR applies in part to companies “established outside the EU offering goods/services (paid or for free) or monitoring the behaviour of individuals in the EU.”
According to the European Commission website, a U.S.-based business offering services only in the United States, to U.S. customers, and making no efforts to market goods and services to individuals in the EU is not subject to GDPR. If, however, it has an international footprint in terms of web presence or client base and processes personal data in the form of data collection or monitoring of individuals in the EU, the Commission notes that that business is required to comply with GDPR.
There’s reportedly some flexibility for small to medium enterprises (SME) for which data processing is not a core business activity; for example, these businesses reportedly do not need to keep records of their data processing activities—unless data processing is a regular activity or includes sensitive data or criminal records. Alternatively, some high-risk organizations might be required to conduct a Data Protection Impact Assessment.
Insurance can help
In general, in relation to a security breach, cyber insurance can potentially help offset many of the costs a company might incur, including:
- Hiring a security firm: There are often fees and costs for hiring a security firm or forensics firm to assess an event or to determine if a breach occurred or is ongoing.
- Notification and post-event monitoring: If an EU user’s data is breached, the breached company will need to notify the appropriate EU supervisory authorities within 72 hours of discovery. After that, notification to affected individuals might also be required. This is a change from the past. Before GDPR, notification of breach of personal data was required across the U.S. but not in the EU. Notifying individuals affected by a security breach and, where needed, providing post-event credit monitoring services can be expensive.
- Public relations expenses: A security breach, whether in the U.S. or EU, can result in the need to hire a public relations firm to manage reputational damage.
GDPR creates new areas of possible exposure and loss potential for businesses in the EU and worldwide.
- Fines and penalties: Fines and penalties up to 4 percent of global annual revenue or €20 million can be levied by regulators for an organization’s failure to comply with GDPR, such as an infringement on data subjects’ rights. Aon and DLA Piper looked at insurability of GDPR fines by country. Their study, The price of data security: A guide to the insurability of GDPR fines across Europe, explains their findings and indicates that GDPR fines are only insurable in one EU country, Finland. According to Aon and Piper, GDPR fines are also insurable in Norway, a European Economic Area (EEA) country.
- Costs of noncompliance: Many cyber insurance policies available today typically include coverage with respect to losses associated with defined events such as a security breach, cyber incident, or extortion threat. But even when there’s been no breach, cyber incident, or extortion threat, failure to comply with GDPR could result in costs such as those related to public relations. The Aon and DLP Piper paper expand on this topic, discussing the potential costs associated with noncompliance, including, “legal fees and litigation, regulatory investigation, remediation, public relations, and other costs associated with compensation and notification to impacted data subjects,” adding that “the potential damage to an organization’s reputation and market position can be significant.”
As organizations around the world transition into this new era in data privacy, we expect the insurance industry will have to adapt to provide solutions to address market needs.