As the General Data Protection Regulation introduces tougher rules and penalties from May 2018, are insureds prepared?
Everyone by now knows about the penalties under the General Data Protection Regulation (GDPR), coming into force this May: up to the greater of €20 million or 4 per cent of worldwide turnover – making them almost limitless.
Few expect that to be a common occurrence but, if there are examples to be made, it’s likely to be big businesses that are hit hardest.
“That’s why the fines are set at that scale; it’s to scare the likes of Facebook and Google,” says Sarah Stephens, Head of Cyber, Content and New Technology Risks at JLT Specialty.
“Under the current regime of a maximum fine of £500,000, there’s no real bite for big businesses. Four per cent of turnover, though, is a very different number.”
On one hand, larger organisations should be better prepared than SMEs to face the challenge posed by the new regulations and therefore avoid penalties.
They have the resources and in-house IT functions to direct to ensuring compliance.
Under the GDPR, they are also almost certainly going to have to appoint a Data Protection Officer.
On the other hand, scale brings its own challenges.
For a start, getting to grips with the data within the organisation remains tricky, particularly for long- established companies.
“Older businesses that have legacy systems and have been through mergers and acquisitions (M&A) often find themselves running many different servers and with an IT infrastructure that is a little confused. They will really need to be addressed,” says Stephens.
Added to that, multinational businesses have to comply across jurisdictions: the GDPR applies to data of EU data subjects, regardless of where the business is based, where that business is offering goods/services to individuals in the EU, or monitoring their behaviour in the EU.
“There’s a significantly enhanced extra territorial scope to this,” warns Neil Warlow, Legal and Technical Advocate in the Financial Lines Group at JLT Specialty.
This applies wherever businesses are tracking EU data subjects on the internet, including using data processing to profile and take decisions predicting their personal ‘preferences, behaviours and attitudes’, as the regulation puts it.
Businesses will need to be able to track the flow of information to capture when data of EU citizens is being processed for these purposes, as well as more generally when data processed in the EU is being transferred outside the EU, such as to the US.
In the latter case, data controllers are required to give more information about such transfers to ‘third countries’ and obtain safeguards, such as standard contractual clauses, to protect data (which data subjects can request to see).
Add to this that the adequacy of protections in standard contractual clauses is being scrutinised at a European level and uncertainty over whether the UK will or will not be inside the European Economic Area post-Brexit, and there remain significant complications.
“All these factors may pose challenges to cross-border transfers from the UK to overseas,” says Lorna Doggett, a Principal Associate in the London office of law firm Eversheds Sutherland.
“Furthermore, it’s important to note that under GDPR the data processor (as well as the data controller) will be exposed to risk if transfers are unlawful.”
Finally, we’ve yet to see what burden the personal ‘data rights’ put on business.
These include the right for individuals to request a copy of the information (a right of access) and a right to have information erased (the right to be forgotten).
An existing fee of £10 for these ‘subject access’ requests under the UK’s Data Protection Act is removed under GDPR.
“There is going to be a lot of time, effort and cost put into dealing with what is likely to be a significant increase in the number of requests,” says Warlow.
Time to act
There are two further complicating factors for businesses trying to comply, too.
The first is skills shortages.
A study by the International Information System Security Certification Consortium earlier this year predicted a shortfall of 350,000 cyber workers across Europe by 2022 – in large part because of GDPR.
This is likely to be one of the key benefits of insurance.
Whether insurance will cover fines under GDPR remains to be seen; given the general uncertainty on insurability of fines, Warlow thinks companies should assume it will not.
But it will cover third-party claims – crucial if Europe sees a rise in class actions that have bedevilled US businesses such as health insurer Anthem, which in June agreed a record $115 million settlement over data breaches.
And it will provide access to outside expertise to help ensure compliance and respond in the event of an incident.
“Policies will give access to the leading experts to support businesses’ internal resources,” says Stephens.
Not unrelated to the skills gaps is the second big issue for businesses: timelines. Businesses now have about five months until the new regime comes in, yet many rel="noopener noreferrer" remain unprepared.
A survey in September by business analytics firm SAS found fewer than half (45 per cent) had a structured plan in place for compliance, for example.
That’s a significant problem, says Winston Krone, Global Managing Director of cyber forensic and compliance company Kivu Consulting.
According to him, a key difference between GDPR and US regulations is that firms cannot afford to wait until a breach to put in the necessary work; that is the entire point of the requirement to notify regulators of any breach within 72 hours of becoming aware of it, he says.
“With the US regulations, you can theoretically wait until an event and then throw money at it. With GDPR, if you’re not up to speed, there is no way you meet the requirement to notify within 72 hours,” adds Krone.
In October, draft guidance from EU data protection regulators also revealed that those outsourcing data processing would be considered to be aware as soon as the data processor discovers the breach.
There are, however, two sources of comfort, says Krone. First, under GDPR, the investment is largely front-loaded: once businesses have put in the work, notifications and responses to a breach may not actually prove onerous as feared.
Second, this is work many business have long acknowledged they should be doing anyway: data mapping to ensure they know what data they have, where it is, how it can be used, how it’s protected and, crucially, what they can get rid of.
“It's time for a spring clean, because one of the basic rules of security is that you can’t lose what you don’t have,” says Krone.
“If you’re collecting data you could make use of, that’s great, but the worst thing is to have sensitive data you are storing needlessly and not making money from. That’s just a big, pointless risk.”
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org