In the age of connectivity, personal data flows freely across oceans and international borders. What US businesses and their insurers are discovering, however, is that European Union regulations set to take effect this year will follow that flow, adding significant new data protection requirements – and steep penalties for non-compliance.

The General Data Protection Regulation (GDPR), which comes into force May 25, 2018, does not apply solely to EU organizations. The GDPR can apply in the US and elsewhere, under certain conditions.

For the first time, data processors – typically third parties contracted by organizations that control, or direct the use of, personally identifiable information (PII) – must comply with the GDPR if they process PII on people within the EU, no matter where in the world the processors are located. The EU law defines processing of personal data broadly and applies to any use of the data, whether storing, amending, transferring or destroying it. In addition, organizations deemed to control or process personal data must comply if they offer goods or services or monitor online behaviour, including through the use of cookies, within the EU. GDPR will also apply to businesses even if they only process personal data as part of transactions with EU organizations.

GDPR will introduce several changes, including:

  • A more onerous and granular data protection regime.
  • Greater accountability for data protection compliance.
  • Mandatory notification of supervisory authorities for certain data breaches, within 72 hours of becoming aware of such breaches.
  • Greater powers to regulators to enforce compliance.
  • Much higher liability for non-compliance.
  • These are major changes for US businesses, which already face a nationwide patchwork of differing state-based data protection regulations as well as several Federal schemes.

Consequences for non-compliance

Penalties for failing to comply with the GDPR are quite steep: the law details that EU regulators may impose fines of up to EUR 20 million euros (USD 23.9 million) or 4% of annual worldwide revenue, whichever is greater. Other potential consequences include reputational damage, public orders to suspend processing personal data, and private litigation.

Although many data protection regulations in the US are issued at the state level, a series of high-profile data breaches have attracted the scrutiny of federal regulators. In recent years, the US Federal Trade Commission has taken a more activist approach toward data protection, bringing suit in federal courts, initiating enforcement actions, and levying fines. Such actions have encouraged the plaintiffs’ bar to pursue cyber liability actions, citing FTC enforcement actions as evidence of wrongdoing. The additional requirements for data security imposed by the EU law may accelerate these trends in the US.

Rights of data subjects

GDPR gives a number of statutory rights to data subjects with respect to processing of their personal data. These include a right to:

  • Information on who is collecting their personal data and for what purpose.
  • Access the personal data being processed.
  • Restrict processing in specified circumstances, e.g. to prevent use of personal data for direct marketing.
  • Be forgotten, i.e. have their personal data erased in certain circumstances.
  • Data portability, such as requiring a structured and commonly used electronic form so personal data can be transferred. In general, data subjects may exercise these rights only against controllers, not processors.

Next steps for US organizations

GDPR is the biggest shake-up in European data protection laws in the past 20 years. The law requires organizations to ensure data protection by design and default, putting cyber security at the front and centre of organizations’ focus on risk management. To meet GDPR requirements and demonstrate compliance, US and other organizations may have to implement new processes and/or technology - not only internally but also with external business partners that handle personal data within the EU.

It is essential for US companies and others that are subject to the GDPR to begin their compliance planning to ensure compliance by May 25. To assist with preparation, EU regulatory bodies and national authorities are expected to issue a raft of new guidance, but at the moment much of the detail about how the GDPR will work in practice is unclear. US organizations and their cyber liability insurers are advised to seek legal counsel with international expertise to discuss their options and obligations under the GDPR.