A Primer on the General Data Protection Regulation (GDPR)
July 31, 2017 | By Marek Kaszczyc
The recent Wannacry and Petya cyberattacks have highlighted potential vulnerabilities inherent in even the largest companies and offer stark reminders of how such exposures can affect revenues.
Rather than using a data theft methodology, those attacks used encrypted data and demanded a ransom to unlock computers. A data theft attack normally utilizes a covert modus operandi, likely to target a single, high value, organization which holds valuable personal data such as medical information or credit card details.
The attacks came as efforts to bolster cybersecurity are on the rise worldwide. In 2016, the European Union (EU) ratified the General Data Protection Regulation (GDPR), a strict set of regulations to protect data privacy. It is expected to go into effect in May 2018 and will affect all EU companies and virtually all companies that do business with them. Non-compliance with this regulation could result in a fine of 2% of global annual revenue or Euro10m, whichever is greater – or double that amount for a significant breach of data protection laws.
Did you have to read that twice? Yes, those numbers are correct – enough to drive many companies out of business. And, no, there are no lower tiers. It’s a whacking big fine.
As the May 2018 date looms, companies throughout the world are gearing up to ensure their policies meet the regulatory standards. So, now we have your attention, here are a few key questions and guidelines that all businesses should examine to avoid fines and ensure their data is protected.
First, what is the definition of personal data? According to the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
Second, who are the key actors? In this situation, three key actors are identified: the data subject (the person whose personal information is being processed), the data controller (the company who is collecting the data, such as an insurer) and the data processor (the organisation that is processing data on behalf of data controller, such as a managed service or cloud provider). Moreover, the scope of the regulations is not limited just to companies within the EU. Any companies processing personal data of EU citizen are also subject to the regulation.
Third, how do the regulations affect the relationship between companies and their clients? In light of the regulations, companies need to be vigilant in ensuring their clients provide consent before their data is collected. In the event a client exercises a “right to erasure,” meaning they request their data be deleted from all systems, the company must comply, including erasing data from back-up systems.
Fourth, how do the regulations affect the relationship between companies and their third-party providers? Businesses have an obligation to ensure all suppliers that hold personal information about employees comply with the regulation so there is no breach of personal data.
Significantly, if the data processor has amended business processes whilst setting up the service, they may also be considered a “joint data controller.” If that data processor is outside the EU, companies may need to take additional measures, such as including “model clauses” in any contracts. And depending on how personal data is used or accessed, companies may be obligated to employ a Data Protection Officer.
Finally, in the event of a personal data breach, what are the appropriate next steps? Companies must inform a supervisory authority within 72 hours. The threshold for notifying the regulator is very high and requires that any breach must be reported, no matter how small. Subsequently, a data processor must inform the data controller if they have incurred a breach. Most importantly, the company will need to inform all affected data subjects– unless their data had been anonymised. So, this a fairly major change for many companies. In essence, anyone holding any data about EU subjects must be compliant or could face a catastrophic fine.
In summary, your organisation should proactively consider the following steps:
- Familiarise yourself with the new regulation before it comes into force on May 25, 2018.
- Ensure your third-party suppliers are compliant – you may need annexures to your contracts.
- If you have managed services suppliers, connect with them to ensure they are fully up to speed with the new regulations. If they are non-EU firms, they may think the regulations do not apply to them.
- If you are thinking about appointing a managed services company, make sure they are compliant and have an in-depth understanding of the regulations.
- Ensure your technology infrastructure is prepared and equipped with tools that minimize the risk of data leakage.
Contact Xceedance for more information on how you can best prepare for GDPR. The insurance and IT experts at Xceedance offer customized solutions to guide insurers through the compliance process and help to ensure your data is secure now and in the future.
Marek Kaszczyc is vice president, head of Poland operations at Xceedance.