On May 25, 2018, the character of the cyber security and privacy risks facing companies of all sizes changed forever. That’s when the European Union’s General Data Protection Regulation (GDPR) officially became the cyber law of the land, protecting the data security of all citizens in the EU. In effect, the GDPR governs the rights of EU residents to know and exercise virtually total control over how their personal data is collected, processed, shared and retained.
The GDPR was motivated by concern over recent and spectacular data breaches sweeping through global organizations and affecting millions of consumers, compromising vast quantities of personal data. The potential reach of the regulation on the U.S. side of the Atlantic is significant. According to a Globe Newswire report of an independent survey conducted in 2016, 52 percent of all U.S. businesses reported that they possessed data on EU residents.
The GDPR is more encompassing than any data protection regulation currently in effect. It protects individuals by requiring strict data management controls, transparency and compliance on the part of all businesses that touch EU residents. Upon request, individuals can demand an accounting of all personal data held by a business, even if it exists in multiple and third-party databases. EU residents have an absolute right to see their data and demand corrective actions up to and including the purging of data, i.e., the “right to be forgotten.”
While the costs and complexity of establishing processes to comply with GDPR data requests may seem daunting, the consequences of non-compliance can be staggering. The most severe penalties levied for violations can be up to 4 percent of an organization’s global, annual revenues.
While large multinationals are certainly subject to the GDPR, even smaller companies may be at risk. There is no issue if an EU citizen simply “Googles” a foreign website for information. However, if that individual registers personal data on the website of even a small, online business in the U.S., that business is now subject to the requirements of the GDPR.
Now that the GDPR is in place, a top priority should be a thorough review of all data management protocols to verify that the organization is in compliance. Included should be a look at the data governance protocols of third-party organizations with which data may be shared. And because individual EU countries can undertake their own regulatory actions under the GDPR, it is important for organizations to seek risk management advice and assistance with a global perspective, such as can be provided by an insurer or consultant with a clear understanding of the ramifications of the law.
Beyond avoiding negative consequences of a violation, compliance with the GDPR may offer the benefit of relatively easy compliance with similar regulations influenced by the EU law in other parts of the world. Similar laws are likely if the serious breaches of recent times continue in the future.