The European General Data Protection Regulation (GDPR) was adopted by the European Parliament on Thursday 14th April 2016. It now only remains to be published in the Official Journal of the European Union to become law. The regulation has been three years in the making and is reputed to be the most lobbied piece of European legislation ever. It replaces the 1995 Data Protection Directive which is the basis of the UK's Data Protection Act 1998. However the new GDPR becomes law in member states without the need for domestic legislation. Leaving aside Brexit it will be part of UK law immediately. The Regulation has built into it a two year period for everyone to prepare to comply and its provisions will actually take effect in the summer of 2018.
The GDPR is a long and detailed document, and of course we already have a data protection regime, but there are key changes under the GDPR. Previously most data protection obligations fell upon data controllers as opposed to data processors. The GDPR applies to both. Its territorial reach is wider, effectively applying to anyone handling the data of EU citizens. Businesses must know what data they hold and data protection measures must be part of business processes. Consent to data processing must be more clearly and freely given and be able to be produced by the data controller. Many organisations will need to appoint a data protection officer. There is also a form of right to be forgotten as part of the GDPR. There is now an obligation to notify data breaches to the relevant authorities within 72 hours of awareness. Some breaches must also be notified to the affected data subjects too. Fines for non-compliance are tiered, with the top tier a headline grabbing 4% of global turnover. The GDPR also seeks to establish a one stop shop to limit the data protection authorities to which multi-jurisdictional organisations need to answer.
Although many will see burdens imposed by the GDPR, having a more comprehensive and uniform data protection regime across Europe is probably no bad thing. Organisations need to start by understanding what data they acquire, hold and process and the legal basis for that. Privacy needs to be designed into systems and processes and respect for data subject rights needs to be stepped up. Policies and procedures for handling any security breaches needs to be in place. The two year implementation period may sound relaxed but it will only be so for those who start to tackle the issues raised by the GDPR now. At its heart however, data protection is about the same issues – understanding what data you hold and why.
It will be interesting to see if finalisation of the GDPR now brings about an upsurge in sales of cyber policies over the next two years, which has been widely anticipated in the cyber risk insurance sector. Whereas accurate modelling of cyber attack accumulation scenarios has so far proved difficult for policy pricing purposes, losses relating to the data protection breach aspects of the GDPR are relatively easier to model and price and therefore suitable cover should be available for GDPR risks.