New legislation brings changes to how data is handled

Similar documents
General Data Protection Regulation (GDPR)

Aegon Asset Management Europe ICAV ( the Fund ) Data Protection Policy

Newsletter NEW DATA PROTECTION REGIMES IN THE EU AND JAPAN: Similarities and Differences. Atsumi & Sakai

What U.S.- Based Investment Advisers Should Know

The General Data Protection Regulation (GDPR): action plan for pension scheme trustees

PREPARING FOR THE EU GDPR IN RESEARCH SETTINGS

Appropriate Policy Document

Member Circular March Implementation of the EU General Data Protection Regulation 2016/679 General Guidance to Members

WHO IS RESPONSIBLE FOR LOOKING AFTER YOUR PERSONAL DATA?

Management of Personal Information Policy (Privacy Policy)

New Data Regulation, Brexit and the Pensions Industry.

All Sorts UK Limited Data Protection Policy 17 th May 2018

DATA PROTECTION NOTICE

DATA PROCESSING TERMS DEFINITIONS

Privacy Statement. Key Definitions. Data Controller. Processing

Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR)

HOW TO MANAGE THE RISKS OF MASS DATA BREACHES UNDER GDPR

EU General Data Protection Regulation vs. Swiss Data Protection Act (in the Private Sector 1 )

The New EU General Data Protection Regulation (GDPR)

The Controller and Processor Data Protection Binding Corporate Rules of BMC Software

DATA PROTECTION ADDENDUM

GROUP PRIVACY POLICY. Adopted June 20th, 2017 by each of the Boards of Carnegie Holding AB and Carnegie Investment Bank AB (publ).

Claims Handling We process Your Personal Data in order to record and handle your insurance claim. This may include sharing your Personal Data with:

WHAT DECISIONS WILL YOU NEED TO TAKE? GETTING READY FOR THE GDPR PART FOUR LEGAL ISSUES AND TRUSTEE DECISIONS

Mobius Life Limited Data Privacy Notice

Revising policies and procedures under the new EU GDPR

Amgen Binding Corporate Rules (BCRs) Public Document

EU Data Processing Addendum

a publication of the health care compliance association SEPTEMBER 2018

Privacy vs Data Protection: The Impact of EU Data Protection Legislation

The Race to GDPR: A Study of Companies in the United States & Europe

What does GDPR and the new Data Protection Act mean to Brokers/Intermediaries?

LOCAL GOVERNMENT PENSION SCHEME (LGPS) GENERAL DATA PROTECTION REGULATION - THE IMPLICATIONS FOR THE LGPS

The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018

Data Privacy Notice of Sumitomo Mitsui Banking Corporation, Brussels Branch ( SMBC )

PRIVACY STATEMENT. There are terms in bold with specific meanings. Those meanings can be found in the attached Glossary.

TEREX CORPORATION DATA PROTECTION POLICY

Pension Trustees. Final Countdown to the GDPR

LAMP Services Limited Privacy Notice v1.2 4 th March Controller

Ark Syndicate Management Limited. Privacy and Transparency Notice. Version 1

GDPR : We protect your data

General Data Protection Regulations Briefing (the presentation you ve all been waiting for)

Legal Compliance Education and Awareness. Privacy Act (Commonwealth)

DATA PROCESSING ADDENDUM (v1.0)

DATA PROTECTION STATEMENT

HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018

Southern Golden Retriever Rescue Data Protection Policy

DATA PRIVACY & FAIR PROCESSING NOTICE

SECTION 1 IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER

Data Protection Privacy Notice for people not directly involved in the accident

ROSETTA STONE LTD. PROCESSING ADDENDUM

DATA PROCESSING ADDENDUM

Privacy Notice Student Loans Company Ltd

GDPR: Frequently Asked Questions to Brokers Ireland, February 2018.

BDML Connect Ltd Privacy Policy_v1.0_March updated Markerstudy Group 2018 Page 1 of 11

1. What Data do we collect and where do we get it from?

States of Guernsey EU General Data Protection Regulation (GDPR) - High-level impact assessment

Guidance: The new EU General Data Protection Regulation: Implications for Australia

DATA PROCESSING ADDENDUM

DATA PROTECTION POLICY

DATA PROCESSING AGREEMENT/ADDENDUM

DDB. EU/Swiss-U.S. Privacy Shield: Consumer Privacy Policy

14 March MedTech Europe: GDPR National Legislation State of Play Webinar

A guide for the insurance industry

California s Consumer Privacy Act Vs. GDPR

Moxtra, Inc. DATA PROCESSING ADDENDUM

THE GENERAL DATA PROTECTION REGULATION

The new data protection law main changes at a glance

CPI PROPERTY GROUP. Group Data Protection Policy. 25 May Summary

Surprisingly, only 40 percent of small and medium-sized enterprises (SMEs) believe their

Anticipating the Burden of Risk:

WHAT DOES THE GDPR MEAN FOR PENSIONS? HANDY GUIDE

Privacy Statement. Introduction

WHAT DOES THE GDPR MEAN FOR PENSIONS?

BINDING CORPORATE RULES

CHARITY & NFP LAW BULLETIN NO. 419

DATA PROTECTION INSURANCE MARKET CORE USES INFORMATION NOTICE

Privacy Policy. HDI Global SE - UK

The GDPR Possible Impact on the Life Sciences and Healthcare Sectors

Privacy Policy. Naval Group

Even If You Are a U.S. Company, Don t Ignore the GDPR: Complying with the EU s New Data Privacy Law

THE IRON MOUNTAIN GDPR JARGON BUSTER

GUIDANCE NOTE ON THE DATA PROTECTION ACT Information for clubs & county associations

Privacy Statement v 1.1

GDPR CCPA LGPD. Protected information

Institutional Investment Advisors Limited

Processing under the GDPR: risk and liability shifts

Privacy Policy. This privacy policy shall be valid even if you have reserved your transfers through the other sales partners of Plus Group Kft.

HOW WE PROTECT YOUR PERSONAL INFORMATION PLEASE READ THIS CAREFULLY

henriksen limited This document sets out how Henriksen processes data and your rights as the data subject.

GDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR JOSTLE CUSTOMERS

The Marketing Arm Inc. EU-U.S. Privacy Shield: Consumer Privacy Policy

PRIVACY NOTICE Use of Information Data Controller and Data Processor

2018 Australian privacy outlook

Privacy Policy. Who we are. Definitions

The contract is important so that both parties understand their responsibilities and liabilities.

Licence Agreement

DATA PROTECTION NOTICE

Firefighters Pension Scheme

Recent privacy legislation in the European Union has posed specific

Transcription:

New legislation brings changes to how data is handled April 2018 Lockton Companies New European Union (EU) data protection rules may require changes to how businesses handle personal data even if the businesses are not located in the EU. US-domiciled organizations often draw the attention of EU regulators. Enforcement of the General Data Protection Regulation (GDPR) begins on May 25, 2018, replacing the existing EU Data Protection Directive. The GDPR is similar to the previous data protection law but with some new and enhanced requirements. MAX PERKINS Senior Vice President Global Cyber Technology Practice 44.207.933.2694 max.perkins@uk.lockton.com Companies should assess their operations and policies concerning personal data usage and its protection to ensure they are GDPR compliant. What is considered personal data under GDPR? The new regulations broaden the scope of the definition of personal data. For example, it now includes online identifiers such as IP addresses. Furthermore, it imposes additional obligations and restrictions for the processing of specific categories of personal data. Those categories include: Personal data revealing racial or Genetic data. ethnic origin. Biometric data. Political opinions, religious or philosophical beliefs. Trade union membership. Data concerning health. Data concerning a person s sex life or sexual orientation. L O C K T O N C O M P A N I E S

Who does the GDPR affect? The new law places requirements on controllers and processors who: Operate within the EU. Are located outside of the EU but offer goods and services to individuals in the EU. Monitor the behavior of individuals in the EU. The United Kingdom (UK) s government confirmed that their decision to leave the EU will not affect the implementation of the GDPR. Penalties and other financial risks GDPR defines: A controller as a natural or legal person, public authority, agency or another body that alone or jointly with others determines the purposes and means of processing personal data. A processor as a natural or legal person, public authority, agency or another body that processes personal data on behalf of the controller. The GDPR significantly increases organizations financial risk exposure by imposing tough monetary sanctions for failing to comply with the regulation. Here is how those penalties are structured: Tier 1 Infringements of key GDPR provisions can result in fines of up to $24.48 million ( 20m) or 4 percent of the organization s global revenue in the preceding financial year (whichever is greater). Tier 2 Procedural infringement of GDPR can result in fines of up to $12.24 million ( 10m) or 2 percent of the organization s global revenue in the preceding financial year (whichever is greater). While GDPR is not just about financial penalties, the potential fines should make its implementation a board-level issue. 2

April 2018 Lockton Companies Explicit requirements of GDPR Data breach notification in the event of breach: Controllers are required to notify the appropriate authorities without undue delay and within 72 hours (if feasible) of learning about the breach. There is an exception for breaches unlikely to result in risk to the rights and freedoms of individuals. Controllers must notify the affected individuals without undue delay if the breach results in a high risk to the rights and freedoms of individuals. The notification must include: Nature of the data breach. Categories and the approximate number of data subjects and personal data records concerned. Contact information for the organization s data protection officer. Data protection officers Companies that are controllers or processors may need to appoint a data protection officer (DPO). This applies to companies: Likely consequences of the breach. Measures the controller has taken or proposes to take to mitigate the breach. That are either a public authority or body (except for courts acting in their judicial capacity). Whose core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale. Processors are required to notify the controller of a data breach without undue delay after becoming aware of the event. Processing large amounts of data and personal data relating to criminal convictions and offenses. Companies that meet this requirement will need to comply with the tasks and responsibilities of a DPO in the GDPR. 3

Greater rights for individuals GDPR gives added protection and rights to individuals through a number of its provisions while requiring stricter enforcement. Individuals now have the right to: Erasure of personal data. Restrict processing. Data portability. Not be subject to automated individual decision-making. Enhanced individual access requests. Some of these rights will increase the administrative burden of organizations, creating a need to implement new processes and systems. The broader rights available also means organizations will likely receive a more extensive range of requests from individuals. In particular, GDPR requires organizations to notify third parties when individuals want to exercise these rights unless that proves impossible or involves a disproportionate effort. For organizations that disclose large amounts of data to third parties, this may be particularly burdensome. Is there a guide for becoming GDPR compliant? Many required changes will take time to implement, including new or revised policies and procedures, employee training, and in some cases, technology updates. Here are some resources that can help with compliance. Legal services Legal counsel can assist with contracts and employee awareness and can help you understand the regulation and its impact on your business. GDPR requires specific compliance and interaction with regulators if a data breach occurs. Privacy counsel will be able to assist with those reporting requirement and notifying affected individuals. Suppliers and service providers Suppliers and service providers process personal data on your behalf and need to be compliant with GDPR. Do your contracts require your suppliers and service providers to notify you of a data breach? 4

April 2018 Lockton Companies Information technology The processing of personal data, including its use and storage, is a focus of GDPR. Internal stakeholders must fully understand the impact of GDPR on the way in which you work with information. A strong technology team will be important. Outside consultants can be a resource to provide best practices within your industry. When security incidents occur, external forensic computer consultants can determine what did and did not happen. This information, combined with the advice of legal counsel, can help frame effective communication to affected individuals and regulators. Insurability of data breaches More companies understand the importance of cyber coverage in their risk management program than ever before. GDPR comes with a natural view toward liability. Cyber insurance can cover the costs associated with managing a data breach. Insurance not only pays claims, but helps connect your company with privacy counsel, forensic computer consultants and communications firms at short notice. An experienced cyber broker can evaluate your risk and the potential impact of GDPR. One issue surrounding GDPR with which the insurance industry is currently grappling is the insurability of fines or penalties. It may depend on whether the behavior provoking the fine or penalty would be considered criminal or quasi-criminal by a court of law. Punitive or criminal fines are likely to be issued in instances where negligent or reckless behavior was displayed. We believe fines arising out of GDPR that are punitive in nature will ultimately be deemed uninsurable under the law of England, Wales and other EU jurisdictions. On the other hand, we understand from underwriters that they intend to cover regulatory fines and penalties. The result is insurance contract wording which states coverage where insurable by law. The ultimate determination will come when a claim is declined by insurers and then challenged by the insured. Or, this will be clear when case law around ICO fines and penalties comes into play. This leaves companies in a position of uncertainty. If you are a US-domiciled insured and purchasing insurance subject to US law, then the insurability of a regulatory fine or penalty is state-dependent. It is best to speak with your insurance broker and insurance carrier regarding your specific situation. 5

Separately, it is important to think about your serviceproviding partners. Because US underwriters are not licensed to cover named insureds outside of the US, a European service provider may have trouble providing absolute confirmation that fines will be insured. The best they can do, and the best your US insurer can do, is to state, covered if insurable by law. Finally, GDPR changes the landscape regarding private right of action in the UK and elsewhere in the EU, with any person able to seek compensation for material or nonmaterial damage they suffer following a breach of the regulation. This means that litigation will likely increase in this area. A competent cyber policy will, at the least, cover the defense costs associated with a regulatory investigation, third-party suit or demand related to privacy or security liability. If history is anything to go by, each country will have a different attitude toward compliance, which may lead to a degree of uncertainty across the region. Data security remains an important aspect of this regulation. Lockton specializes in a range of services including data breach response, information security and reputational harm recovery. Your Lockton team can help you access these services. Enforcement of GDPR The information commissioner s office (ICO) will enforce the regulation in the UK; the federal commissioner for data protection and freedom of information will enforce the regulation in Germany. In Germany, where data privacy has been a hot topic for some time, the commissioner is likely to take one of the firmest stances. However, some US companies are storing data in Germany because of the clarity the government provides on their strict rules. A full list of regulatory bodies enforcing GDPR throughout Europe and their guidance is available here. You can find more information on the GDPR on the ICO s website: https://ico.org.uk/for-organisations/guide-to-thegeneral-data-protection-regulation-gdpr Please note that the purpose of this document is to provide a summary of and our thoughts on the GDPR. It does not contain a full analysis of the law nor does it constitute a legal opinion or advice by Lockton Companies LLP on the law discussed. The contents of this article should not be relied upon and you must take specific legal advice on any matter that relates to this. Lockton Companies LLP accepts no responsibility for loss occasioned to any person acting or refraining from acting as a result of the material contained in this article. No part of this document may be used, reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, reading or otherwise without the prior permission of Lockton Companies LLP. 6

April 2018 Lockton Companies NOTES 7

Our Mission To be the worldwide value and service leader in insurance brokerage, risk management, employee benefits and retirement services Our Goal To be the best place to do business and to work RISK MANAGEMENT EMPLOYEE BENEFITS RETIREMENT SERVICES lockton.com 2018 Lockton, Inc. All rights reserved. KC: 42216

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback