EU data protection: this time it’s personal
New EU General Data Protection Regulations (GDPR) were agreed at the end of last year, and are set to replace current UK Data Protection Act 1998 laws from 25 May 2018.
The new rules are designed to strengthen the rights individuals have over their data, and simplify the regulatory environment to provide further clarity and legal certainty for businesses.
Since the current data protection rules were put in place in 1998, we have seen a transformation in the threat faced by companies from cyber hackers and associated data breaches. The high profile attack against Yahoo provides a recent example. This could be one of the largest cybersecurity breaches ever, and Yahoo recently confirmed that the hack may have compromised data associated with up to one billion user accounts.
With the increasing occurrence of such attacks and larger amounts of personal data held online, the new data protection rules are key for businesses to safeguard their customers’ personal data.
EU regulations in a post-Brexit UK
The GDPR will apply to any company that handles EU citizens’ data and imposes restrictions on the transfer of personal data outside the EU, to ensure that the level of protection of individuals’ data is not undermined. Where a company is based outside the EU, but handles EU citizens’ personal data, the European Commission will determine whether that country is able to ensure an “adequate level of protection” for the data, before any transfers of data can be made.
Once the UK leaves the EU, such a consideration will have to be made in regards to UK businesses which hold personal data of EU citizens. A “safe” rating for the UK will not be automatic, and will depend on whether the UK agrees to implement equivalent data protection laws in 2018.
Under the new rules, businesses will not only need to comply with the regulations, but must also demonstrate their compliance (Article 5(2)). Non-compliance with the GDPR will attract heavy fines of up to 4% of a company’s global turnover or €20 million – whichever is higher.
The rules state that calculating the fine of up to 4% will be based on “annual turnover of the preceding financial year”, although no guidance is given on whether the preceding year relates to the date of the breach or to the date the breach is disclosed.
Take a recent example where a large multinational company has suffered a data breach as a result of the cyber-attacks on Yahoo. Yahoo has confirmed that names, phone numbers, passwords and email addresses were stolen, but no bank and payment data was taken. If the GDPR was current law, as Yahoo failed to report the exposure within 72 hours, they would have faced massive fines. If we take 2015 as the year of the data breach, Yahoo could have been fined up to €188 million. Either way, these fines are demonstrative of the need for businesses to take a very careful approach to data security.
New regulations – key changes
Businesses will face joint liability with their data management partners. This is a key tenet of the reforms. At present, only the data controller is liable for a data breach. The GDPR extends liability to include providers of outsourced operations (data processors). Given the deterrent nature of the fines that could be imposed, businesses are likely to want to manage their outsourced operations very closely.
Further, any breaches must be reported to the relevant supervisory authority within 72 hours. Failure to do so can result in a fine of up to €10 million or 2% of global turnover.
Impact on the market
Until the Commission makes a decision on whether the UK is “safe” for the transfer of data, EU companies will have to consider whether they are able to transfer personal data to the UK. In anticipation of these considerations, companies should ensure they have appropriate security procedures in place to prevent loss of data by the time the legislation comes into force in early 2018.
The existing market may wish to review the level of premium in light of the dramatic increase in penalties, or in the alternative consider a cap on the level of an indemnity. Consider the impact of the imposition of an EDPR fine on a company such as Yahoo. Rather than facing the current maximum fine of £500,000, if the data breach had taken place under the EDPR, it could risk receiving fines within the range referred to above. We believe that insureds will have no choice but to seek some form of cover.
Related item: EU data protection: regulation awakens