Login Register Subscribe
Current Issue

European Union gets serious about data protection

Reprints

An upcoming European Union data protection law will enforce reporting of data breaches and introduce fines for companies breached because of their negligence, and risk managers need to act now to be ready for it, experts say.

A final version of the European Commission General Data Protection Regulation is expected in December, with the regulation taking effect across the European Union two years after its publication. Companies need to understand their risk profile now to prepare for it, sources say.

“Mandatory reporting is coming, and people need to start taking steps now” to be ready, said Geoff White, underwriting manager for cyber, technology and media at Barbican Insurance Group in London.

“Most businesses will need to make some changes to their data processing practices to meet the requirements” of the regulation, Marcus Evans, a partner at law firm Norton Rose Fulbright L.L.P. in London, said in a blog posting.

“Many will have to make extensive changes,” he said.

Instead of what Neil Gurnhill, head of digital risk and cyber/technology insurance at brokerage Safeonline L.L.P. in London, calls “patchworky” rules on data protection, the new law will be applied in the same manner across all 28 E.U. member states.

“Data is the new oil, the new gold, the way companies make money,” Mr. Gurnhill said. The rules will “ramp up the need for companies to have strong continuity plans” to deal with data breaches, he said.

The draft rules would require supervisory authorities and affected individuals to be notified of a breach that poses “significant risk of harm” to data subjects, or a serious violation of their rights, within 72 hours.

In its current form, the regulation also would reach outside of the European Union, with jurisdiction extended to the offering of goods and services to or monitoring of data subjects within the European Union by companies from outside the union.

While the draft regulation does not require companies to have data protection officers, it does allow member states to mandate that.

Fines on companies breached because of their negligence are likely to be between 2% and 5% of annual global revenue of the company in question, based on various drafts thus far.

While the European Commission, European Parliament and European Council are still working on the rules — and how strict they will be — “for many companies the regulation will require wholesale changes to incident response and risk transfer strategies, which they should start making immediately,” said Sarah Stephens, head of cyber technology and media errors and omissions at Jardine Lloyd Thompson Group P.L.C., in London.

Companies can only begin to quantify whether a breach poses “risk of harm” to data subjects if they have detailed documentation of their data and to whom it belongs, and have processes in place to swiftly and accurately assess the scope of any breach, she said.

This will mean that many companies will need to keep better records of customer and third-party data, she said.

Companies must also stress-test their cyber incident response plans, she said.

These plans, she said, should include key stakeholders from across the company, as well as senior management, to ensure that they are consistently applied across the company.

The Federation of European Risk Management Associations says it will continue to follow the development of the rules and to inform European lawmakers about the state of the cyber insurance market from the point of view of European buyers.

The introduction of the regulation likely will prompt greater takeup of cyber insurance coverage, Mr. Gurnhill said.

One of the drivers of cyber insurance buying in the United States has been the steps that need to be taken to notify most state legislatures of breaches, he said.