GDPR - What You Need to Know About the EU’S Latest, Largest Data Regulations
By Jorge Zelaya - Article on March 12, 2018
- Compliance and Risk
- Cyber Security
- Data Privacy
- Legal and Regulatory
In just a few short weeks, the internet landscape we’ve all become accustomed to will change dramatically. The European Union is implementing new regulation for online data collection. The General Data Protection Regulation, known as GDPR, will create new, far stricter rules on how organizations can handle consumer data.
Admittedly, it doesn’t sound very earth-shattering. It’s not a revolutionary new application or a game-changing new search engine. But these rules will change the way businesses and government organizations all over the world operate. If your organization has ever received data from citizens of countries within the European Union - even if you’ve never held operations overseas - the regulation will apply to you.
Watch our recent webinars on GDPRCyber Liability Practice Webinar Series
Essentially, GDPR considerably increases the rights of European citizens to know and understand what is being done to their data. It requires organizations to get consent before accepting consumer data. The request for consent must come in an “intelligible, easily accessible form” that explains how the data will be used. Revoking consent must be as straightforward as giving it. The consumer must be able to see, erase, and transfer their data upon request. Organizations must restrict their data collection and usage only to such data as is strictly necessary for its services. They must also alert consumers within 72 hours after a breach and incorporate data protection in any new system they develop. For organizations in which handling data is a primary function of their mission, GDPR will require hiring a Data Protection Officer.
GDPR is a massive shift - and the consequences for failing to follow its requirements are enormous. Fines can total up to €20 million or 4 percent of the organization’s annual global turnover, depending on which is more.
Preparing for this change may seem like an enormous task, and there are several things organizations should keep in mind. The first and most important is making sure your organization understands what GDPR requires and, more specifically, how it pertains to your organization and the type or types of data your organization may collect. As Robert McCullen pointed out in Forbes, “Every…piece of personal data poses a serious responsibility.” By taking a comprehensive look at what data you have and what data you need, you’ll get a better sense of how you can comply with the regulation.
The second step is to streamline your systems and make them as straightforward as possible. PLUS, or the Professional Liability Underwriting Society, recommends that organizations develop cybersecurity checklists and procedures in such a way that, should a breach occur, you will be able to explain precisely what happened to authorities and consumers - in less than 3 days. PLUS also recommends that organizations and their employees “be knowledgeable” and equipped to answer any questions consumers might have. The key to doing this is, of course, to have “clear and sound policies” across the board, from breach notification procedures to privacy rules.
GDPR represents a major shift towards global accountability and transparency. But with the right preparation, organizations can face the challenges of this regulation head-on, providing vital products, services and information to consumers all around the world.
Is there a standard of reasonableness? Is there a fair balance between reasonable security and reasonable business practices when it comes to preparation? Is your organization subject to GDPR and if so, are your current business practices GDPR-compliant?
Getting ahead of the exposure landscape for data privacy and security risks and their attendant regulatory compliance mandates has always been a challenge. Staying ahead of that evolving threat landscape is even more challenging. Join Arthur J. Gallagher and ID Experts as they present a 3-part webinar series during January, February and March addressing the following cutting edge topics the market has been asking for experts to address pragmatically with an eye toward real-time guidance: Preventative Services and Tools to consider getting in place before an event occurs; GDPR Planning in light of actual scenarios across organizations today and what the insurance industry thinks of the evolving GDPR compliance exposure; and lastly how to navigate the alphabet soup sea of compliance challenges between HIPAA, NYDFS and GDPR. Expert legal, forensic, underwriting and claims perspectives will examine and compare/contrast the compliance burdens your organization will not be unique in grappling with during 2018 and going forward.
When you choose to partner with ID Experts, you not only ensure that your clients’ incident response is timely and accurate, you protect your clients’ incident populations from the many types of identity theft including medical, insurance, criminal, child, driver’s license, social security, synthetic, financial, and employment theft.