GDPR is here and it has every big company shaking in its boots. Why? GDPR stands for General Data Protection Regulation, and it’s Europe’s latest personal data framework. The law was officially adopted on May 25. 2018 and it protects the personal information of all EU citizens.
GDPR is a Privacy Game Changer
GDPR provides EU citizens with three fundamental rights:
- To know and see what personal information is collected, stored and used by a company
- That consent to use their personal information must be explicitly given, informed. and unambiguous before that data can be collected, used or stored
- That consent may be revoked, and information subsequently removed by the company
EU citizens are not only entitled to consult what personal data you have collected, they can also request to receive a hard copy in a commonly used machine readable format; ask what you use that data for; ask to modify or delete it; or ask that you provide a copy of their data to one of your competitors.
The Consequence of Failing to Comply
Under GDPR, companies can receive fines of 20 million Euros or 4% of total annual revenues, whichever amount is greater. Facebook escaped a fine for its recent privacy breach fiasco, where data on eighty-seven million Facebook users was leaked to Cambridge Analytica; however, on the very first day of GDPR they weren’t so lucky. Facebook and Google were both hit with fines on Monday within hours of the new regulation that collectively amount to about $8.8 billion USD.
The two big questions facing Canadian companies are how exposed they are to GDPR, and how likely they are to be fined for it. EU legislators, particularly German legislators, are tough. They commented as they were drafting the law that the fines were in their opinion rather conservative. It stands to reason that if a claim is made, an instance filed, and an investigation conducted finding the company at fault, fines will follow.
History seems to suggest that Canadian companies will be less exposed at first, as the regulatory bodies will focus on EU companies. Companies in member nations are easier to prosecute, but it won’t shield Canadian companies from litigation for long, especially if a privacy breach occurs. In that case, you’ll need to notify the supervisory authorities with 72 hours of any potential breach.
What You Can Do to Be GDPR Compliant
Canada already has pretty stringent privacy laws: PIPEDA, CASL and soon, the Digital Privacy Act. The latter Act, which received royal assent in 2015 under Harper, comes into effect on November 1st. When it does, companies will need record and report any and all potential privacy breaches, no matter how minor, or incur a fine of up to $100,000 per record. Companies must also notify the individuals if it is reasonable to believe that the breach creates a real risk of significant harm to those individuals.
To comply with GDPR, companies need to ensure that consent is always obtained, that they explain clearly how the information collected will be used, and that they can send that information to the individual or another party if requested to do so, or delete it. Data acquired before May 25th doesn’t require a re-opt-in campaign if you have already obtained explicit consent, but to be on the safe side, reset the cookies on your website and make sure your new consent form explicitly details what info is being collected and for what purpose.
Cyber Insurance can cover a company’s exposure to privacy breaches under GDPR, DPA, PIPEDA and CASL. Companies also need to train for and adopt basic enterprise-wide risk management principles:
- What data is collected and where is it stored; who has access to it
- What risks are you exposed to (of data being hacked, stolen by an employee…)
- What to do to protect against those risks (measures)
- What to do in case of a crisis (countermeasures), for instance a privacy breach
Why Cyber Insurance Might Be Right for You
Cyber insurance isn’t a get-out-of-jail free card, nor is it meant to incentivize bad behaviour. If a company is wilfully negligent or ignorant of GDPR, it should not expect cyber insurance to foot the bill, but cyber insurance will cover the sizable costs, and fees resulting from accidental events like privacy breaches.
What about the fines? That really depends on the policy and its wording, as no two policies are the same.
You should also know that the costs of handling a potential privacy breach can be considerable. In the advent of a privacy breach, you’ll need to reach out to your customers and notify the Canadian privacy commissioner and European supervisory authorities. You’ll also need to find out what happened exactly, why it happened, how compromised the data is, what information got out, who is to blame and how to prevent it from happening again.
In some cases, your system will have been hacked and left weakened, damaged or destroyed, partially or in whole. In other cases, an employee will have accessed the data illegally, forcing you to improve your security and access protocols.
And then, you’ll be faced with defence costs, including the costs of hiring those expert consultants, witnesses and legal eagles, and any resulting court fees. That’s why you should consider getting cyber insurance. Less than 20% of Canadian companies currently have this coverage, though more and more have signed on since the advent of CASL and GDPR.
Many thanks to Greg Markell, CEO of Ridge Canada, for providing valuable information about cyber insurance products and the potential impact of GDPR on Canadian companies. Ridge Canada Cyber Solutions is a Canadian Managing General Insurance Agency that provides cyber insurance products, consulting and loss control services to Canada’s insurance agents and brokers.