Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

EU data rules have broad reach

Reprints

The purpose of the European Union’s General Data Protection Regulation, which took effect May 25, is to protect its citizens from privacy and data breaches.

U.S. companies that operate in the European Union or provide goods and services there must comply with the regulation. It applies to EU-based employees regardless of whether they are EU citizens. Suppliers and service providers must also be compliant with the regulation.

Experts say key provisions in the 100-page document include:

• The GDPR broadens the scope of what is considered personal data to include IP addresses, for instance, and places restrictions on a wide range of personal data, including genetics data and political opinions — essentially any information that could identify a person.

• Companies can be fined up to 4% of annual revenue or €20 million ($23.9 million), whichever is greater, for the more serious breaches. Under a lower tier of fines, companies can be fined up to €10 million or 2% of global revenue for not having their records in order, not notifying the supervising authority and data subject about a breach, or not conducting an impact assessment.

• Breach notifications must be made within 72 hours of a company first becoming aware of the breach. The GDPR considers an accidental or unlawful destruction of data to be a breach.

• Individuals can obtain confirmation as to whether their personal data is being processed, where and for what purpose. They must also consent to the processing of their personal information, including how it will be used and transferred to other entities.

• Individuals have the “right to be forgotten” and have their personal data erased.

• Companies involved in processing personal data must appoint “data protection officers.”

 

 

Read Next

  • US firms brace for data law fallout

    The ability of European Union regulators to levy sizable fines under the EU’s new General Data Protection Regulation and uncertainty surrounding the insurability of the fines are particularly worrisome parts of the new regulation.