The General Data Protection Regulations – what you need to know
Several months ago, I was delivering a training course to a number of insurance brokers on ‘Cyber Liability Insurance’
I mentioned that I could not think of any business that didn’t have some sort of cyber liability exposure and therefore, there was a need to discuss cyber liability insurance cover for all of their commercial clients.
One broker did, however, come up with a suggestion of a business that didn’t have any cyber exposure – a hand car wash business that only accepts cash payments.
“Okay”, I remember saying, “I will amend that – I cannot think of many businesses that don’t have some sort of cyber exposure…”
Shortly after, when reviewing the course as part of my usual evaluation, it occurred to me that even a hand car wash business that only accepts cash payments is likely to have a cyber exposure – or at least a data exposure. This type of business will have a number of employees for which there will be a need to collect, store and use personal data if only for payroll purposes although I understand that this example would fall within an exemption for the purposes of the Data Protection Act, 1998.
However, the point I was trying to make was that cyber liability insurance is a class of business that needs to be discussed with all clients as, in one way or another, there will be an exposure.
Brokers need to be aware of this class of business and be able to discuss it with their clients – it is no good saying that they don’t understand it or it’s too confusing. Most insurance is – to the average person!
European regulations being implemented in 2018 will introduce mandatory reporting and customer notification in the event of a data breach. Similar legislation in the USA saw a massive increase in the cyber insurance market.
Whether the same happens here remains to be seen.
The regulations in question are the General Data Protection Regulations – GDPR. Their aim is to harmonise the current data protection laws in place across all EU member states. The fact that it is a “regulation” instead of a “directive” means it will be directly applicable to all EU member states without a need for national legislation.
Article 31 states:
In the case of a personal data breach, the controller (organisation) shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent … unless the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals.
The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 72 hours.
In the UK, the supervisory authority will be the Information Commissioners’ Office (ICO). However, it is not clear which national regulator needs to be informed – is it the national regulator of the country in which the business is based or the country of the individual whose data has been breached?
If the latter, which regulator is involved in the event of several nationalities suffering a data breach?
Can the business make the decision and perhaps opt for notifying a ‘light touch’ regulator?
There is an exception to notifying the regulator if, ‘the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals’ but what is meant by this phrase?
It is, of course, open to interpretation and will have to be looked at on a case-by-case basis based on the specific circumstances of any data breach.
Getting it wrong could have serious – and potentially costly – repercussions. It might be safer to notify.
Article 32 is concerned with communication of a personal data breach to the data subject (the individuals concerned).
This needs to be undertaken when the personal data breach is likely to result in a high risk to the rights and freedoms of individuals and this must be undertaken without undue delay.
There are however exceptions to this requirement if:
the controller (organisation) has implemented appropriate technical and organisational protection measures so that the data is unintelligible to any person who is not authorised to access it, such as encryption
the controller (organisation) takes actions subsequent to the personal data breach to ensure that the high risk for the rights and freedoms of data subjects is unlikely to materialise or
it would involve disproportionate effort; in such cases, alternative communication message can be used such as a public communication.
This time, there has to be a high risk to the ‘rights and freedoms of individuals’ The regulator (ICO) can instruct an organisation to inform data subjects if that hasn’t already been undertaken.
Breaches of the new rules can result in fines being issued which can be as high as 4% of global turnover.
The intention of such high levels of fines is to ensure data protection becomes a board level issue and whilst this requirement is aimed at multinational organisations, any sized business can face similar issues, with the potential for significant fines and costs in the event of a data breach.
Whether the GDPR do indeed result in a greater take-up of cyber liability insurance is open to debate but it should certainly mean that businesses need to consider their cyber risks and cyber security arrangements.
Over the coming months, much will be written about the need for encryption or pseudonymisation (a word I have great difficulty pronouncing).
For those businesses that, for whatever reason, do not see the need for a specific Cyber Liability insurance policy, the AXA Insurance Management Liability Policy (MLP) could be an alternative option.
This policy includes within it several areas of cyber liability insurance as well as the more usual directors’ and officers’, employment practices and company legal liability sections.
Within the company legal liability section, cover includes (subject to terms, conditions and exclusions, of course):
Breach of Data Protection cover – Loss for a breach of Data Protection law.
Cyber liability cover – Loss resulting from any cyber liability.
Data protection breach cover – The costs of rradar in contacting your customers and -suppliers as legally required following a data protection breach.
Identity fraud cover – Loss resulting from identity fraud.
Loss of documents cover – Cost of replacing or restoring any document, data or information lost, damaged or destroyed whilst in your possession.
Negative social media crisis public relations costs cover.
Third party electronic funds transfer cover.
In addition, policyholders have access to rradar’s Advice Resource Centre (ARC) providing advice and guidance on a wide range of legal and regulatory issues such as:
Human Resources and employment
Health and Safety
Money laundering, fraud, bribery and corruption
Motoring and criminal offences
Information can be accessed online, by email or by telephone.
Our philosophy is to proactively help policyholders understand legislation, make sensible business decisions, stay compliant and stay out of trouble in the first place.
We are also able to offer insurance training services covering a wide range of technical and compliance subjects.
How rradar can help: