By John Farley

The EU’s GDPR, or General Data Protection Regulation, effective May 2018, has more to do with North American companies than you think.

Don’t do business in the EU? It doesn’t matter. The EU GDPR affects any business that offers goods or services to EU citizens or handles their personal data. That includes anyone with European customers – Canadian hotels and restaurants, online retailers and anyone else that sells goods overseas. In today’s digital age, the EU GDPR applies to enterprises worldwide.

Already covered by cyber insurance? Again, that may not matter. Most cyber policies require a trigger, like a hack or network intrusion, to respond. GDPR fines for non-compliance may not be enough to be considered a trigger. The new regulation can penalize you for simply targeting your existing clients in advertising or failing to obtain their consent before collecting their personal data. And fines can be as high as four percent of the organization’s annual revenue, or 20 million EUR, whichever is greater.

Consider the following common cyber claims that could be subject to policy limitations or exclusions as they relate to GDPR. Ask your broker about them and how you can be more adequately covered for GDPR at your annual renewal.

  • Costs of deploying an international breach response team to navigate breach investigations and notification requirements in international jurisdictions.
  • Compensation claims, such as class action lawsuits, brought against an organization for liability related to a company’s data practices.
  • Fines imposed by regulators. Pay close attention to coverage for fines and be aware of potential coverage pitfalls, including:
    • Regulatory fines for data-use practices in the absence of a breach
    • Intentional violations by rogue employees leading to coverage denials
    • Coverage for punitive damages

What are the EU GDPR provisions?

As a general rule, GDPR applies to any company, regardless of geographic location, that collects, stores or processes an EU resident’s personal information. Other highlights include:

  • 72-hour data-breach reporting: In what is likely the most stringent reporting requirement in the world, organizations must notify affected individuals of data breaches within 72 hours.
  • Consent: Under certain circumstances, data controllers will need to demonstrate that they obtained consent on behalf of the data subject before collecting their information. Consent must always be given explicitly and cannot be assumed. Reliance on pre-checked boxes, silence or no activity could be considered a violation of the consent provision.
  • Profiling: Restrictions apply to targeted advertising, specifically when monitoring the behaviour of individuals for commercial purposes, such as profiling and other use of personal information for analytics.
  • Procedural documentation: Documentation of data collection and processing activities will now be required.
  • Appoint a data-protection officer: Organizations with more than 250 full-time employees that carry out large scale systematic monitoring of individuals, or large scale processing of special categories of personal data, will be required to appoint a data protection officer. Before engaging in risky data processing activities, the data protection officer will be required to conduct a formal data-protection impact assessment.
  • Privacy by design: Organizations are now required to undertake data-privacy impact assessments in the event that the relevant processing operation is “likely to result in high risk to the rights and freedoms of natural persons.”
  • Right to erase: Data subjects will have enhanced rights, including the right to be forgotten. This will force companies to take steps to minimize or eliminate the data subjects’ digital footprint and re-evaluate data retention policies.

Understanding all the policy options will help you secure broader cyber coverage. Contact your HUB broker today to learn about your GDPR cyber exposures and how you can successfully transfer the risk.