New legislation brings changes to how data is handled April 2018 Lockton Companies New European Union (EU) data protection rules may require changes to how businesses handle personal data even if the businesses are not located in the EU. US-domiciled organizations often draw the attention of EU regulators. Enforcement of the General Data Protection Regulation (GDPR) begins on May 25, 2018, replacing the existing EU Data Protection Directive. The GDPR is similar to the previous data protection law but with some new and enhanced requirements. MAX PERKINS Senior Vice President Global Cyber Technology Practice 44.207.933.2694 max.perkins@uk.lockton.com Companies should assess their operations and policies concerning personal data usage and its protection to ensure they are GDPR compliant. What is considered personal data under GDPR? The new regulations broaden the scope of the definition of personal data. For example, it now includes online identifiers such as IP addresses. Furthermore, it imposes additional obligations and restrictions for the processing of specific categories of personal data. Those categories include: Personal data revealing racial or Genetic data. ethnic origin. Biometric data. Political opinions, religious or philosophical beliefs. Trade union membership. Data concerning health. Data concerning a person s sex life or sexual orientation. L O C K T O N C O M P A N I E S
Who does the GDPR affect? The new law places requirements on controllers and processors who: Operate within the EU. Are located outside of the EU but offer goods and services to individuals in the EU. Monitor the behavior of individuals in the EU. The United Kingdom (UK) s government confirmed that their decision to leave the EU will not affect the implementation of the GDPR. Penalties and other financial risks GDPR defines: A controller as a natural or legal person, public authority, agency or another body that alone or jointly with others determines the purposes and means of processing personal data. A processor as a natural or legal person, public authority, agency or another body that processes personal data on behalf of the controller. The GDPR significantly increases organizations financial risk exposure by imposing tough monetary sanctions for failing to comply with the regulation. Here is how those penalties are structured: Tier 1 Infringements of key GDPR provisions can result in fines of up to $24.48 million ( 20m) or 4 percent of the organization s global revenue in the preceding financial year (whichever is greater). Tier 2 Procedural infringement of GDPR can result in fines of up to $12.24 million ( 10m) or 2 percent of the organization s global revenue in the preceding financial year (whichever is greater). While GDPR is not just about financial penalties, the potential fines should make its implementation a board-level issue. 2
April 2018 Lockton Companies Explicit requirements of GDPR Data breach notification in the event of breach: Controllers are required to notify the appropriate authorities without undue delay and within 72 hours (if feasible) of learning about the breach. There is an exception for breaches unlikely to result in risk to the rights and freedoms of individuals. Controllers must notify the affected individuals without undue delay if the breach results in a high risk to the rights and freedoms of individuals. The notification must include: Nature of the data breach. Categories and the approximate number of data subjects and personal data records concerned. Contact information for the organization s data protection officer. Data protection officers Companies that are controllers or processors may need to appoint a data protection officer (DPO). This applies to companies: Likely consequences of the breach. Measures the controller has taken or proposes to take to mitigate the breach. That are either a public authority or body (except for courts acting in their judicial capacity). Whose core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale. Processors are required to notify the controller of a data breach without undue delay after becoming aware of the event. Processing large amounts of data and personal data relating to criminal convictions and offenses. Companies that meet this requirement will need to comply with the tasks and responsibilities of a DPO in the GDPR. 3
Greater rights for individuals GDPR gives added protection and rights to individuals through a number of its provisions while requiring stricter enforcement. Individuals now have the right to: Erasure of personal data. Restrict processing. Data portability. Not be subject to automated individual decision-making. Enhanced individual access requests. Some of these rights will increase the administrative burden of organizations, creating a need to implement new processes and systems. The broader rights available also means organizations will likely receive a more extensive range of requests from individuals. In particular, GDPR requires organizations to notify third parties when individuals want to exercise these rights unless that proves impossible or involves a disproportionate effort. For organizations that disclose large amounts of data to third parties, this may be particularly burdensome. Is there a guide for becoming GDPR compliant? Many required changes will take time to implement, including new or revised policies and procedures, employee training, and in some cases, technology updates. Here are some resources that can help with compliance. Legal services Legal counsel can assist with contracts and employee awareness and can help you understand the regulation and its impact on your business. GDPR requires specific compliance and interaction with regulators if a data breach occurs. Privacy counsel will be able to assist with those reporting requirement and notifying affected individuals. Suppliers and service providers Suppliers and service providers process personal data on your behalf and need to be compliant with GDPR. Do your contracts require your suppliers and service providers to notify you of a data breach? 4
April 2018 Lockton Companies Information technology The processing of personal data, including its use and storage, is a focus of GDPR. Internal stakeholders must fully understand the impact of GDPR on the way in which you work with information. A strong technology team will be important. Outside consultants can be a resource to provide best practices within your industry. When security incidents occur, external forensic computer consultants can determine what did and did not happen. This information, combined with the advice of legal counsel, can help frame effective communication to affected individuals and regulators. Insurability of data breaches More companies understand the importance of cyber coverage in their risk management program than ever before. GDPR comes with a natural view toward liability. Cyber insurance can cover the costs associated with managing a data breach. Insurance not only pays claims, but helps connect your company with privacy counsel, forensic computer consultants and communications firms at short notice. An experienced cyber broker can evaluate your risk and the potential impact of GDPR. One issue surrounding GDPR with which the insurance industry is currently grappling is the insurability of fines or penalties. It may depend on whether the behavior provoking the fine or penalty would be considered criminal or quasi-criminal by a court of law. Punitive or criminal fines are likely to be issued in instances where negligent or reckless behavior was displayed. We believe fines arising out of GDPR that are punitive in nature will ultimately be deemed uninsurable under the law of England, Wales and other EU jurisdictions. On the other hand, we understand from underwriters that they intend to cover regulatory fines and penalties. The result is insurance contract wording which states coverage where insurable by law. The ultimate determination will come when a claim is declined by insurers and then challenged by the insured. Or, this will be clear when case law around ICO fines and penalties comes into play. This leaves companies in a position of uncertainty. If you are a US-domiciled insured and purchasing insurance subject to US law, then the insurability of a regulatory fine or penalty is state-dependent. It is best to speak with your insurance broker and insurance carrier regarding your specific situation. 5
Separately, it is important to think about your serviceproviding partners. Because US underwriters are not licensed to cover named insureds outside of the US, a European service provider may have trouble providing absolute confirmation that fines will be insured. The best they can do, and the best your US insurer can do, is to state, covered if insurable by law. Finally, GDPR changes the landscape regarding private right of action in the UK and elsewhere in the EU, with any person able to seek compensation for material or nonmaterial damage they suffer following a breach of the regulation. This means that litigation will likely increase in this area. A competent cyber policy will, at the least, cover the defense costs associated with a regulatory investigation, third-party suit or demand related to privacy or security liability. If history is anything to go by, each country will have a different attitude toward compliance, which may lead to a degree of uncertainty across the region. Data security remains an important aspect of this regulation. Lockton specializes in a range of services including data breach response, information security and reputational harm recovery. Your Lockton team can help you access these services. Enforcement of GDPR The information commissioner s office (ICO) will enforce the regulation in the UK; the federal commissioner for data protection and freedom of information will enforce the regulation in Germany. In Germany, where data privacy has been a hot topic for some time, the commissioner is likely to take one of the firmest stances. However, some US companies are storing data in Germany because of the clarity the government provides on their strict rules. A full list of regulatory bodies enforcing GDPR throughout Europe and their guidance is available here. You can find more information on the GDPR on the ICO s website: https://ico.org.uk/for-organisations/guide-to-thegeneral-data-protection-regulation-gdpr Please note that the purpose of this document is to provide a summary of and our thoughts on the GDPR. It does not contain a full analysis of the law nor does it constitute a legal opinion or advice by Lockton Companies LLP on the law discussed. The contents of this article should not be relied upon and you must take specific legal advice on any matter that relates to this. Lockton Companies LLP accepts no responsibility for loss occasioned to any person acting or refraining from acting as a result of the material contained in this article. No part of this document may be used, reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, reading or otherwise without the prior permission of Lockton Companies LLP. 6
April 2018 Lockton Companies NOTES 7
Our Mission To be the worldwide value and service leader in insurance brokerage, risk management, employee benefits and retirement services Our Goal To be the best place to do business and to work RISK MANAGEMENT EMPLOYEE BENEFITS RETIREMENT SERVICES lockton.com 2018 Lockton, Inc. All rights reserved. KC: 42216