Count-down: New rules on data protection across Europe
First published in POST Magazine.
New rules on data protection will come into force in Europe next year. Sergio Pierro is a Professional Indemnity underwriter for International Financial Lines at XL Catlin, based in Paris, and focuses on cyber among other insurance coverages. He explains how companies can get ready for the changes ahead.
The General Data Protection Regulation will come into force in May 2018. What are the implications for European companies?
Firstly, because the regulation will apply consistently across the whole of Europe, it will mean that all data will need to be treated in a uniform way. All types of companies, even SMEs that handle any form of personal data will fall under the scope of the new rules. To be compliant, most companies must designate a Data Protection Officer (DPO). Many larger companies, it should be noted, already have a DPO. In cases of data breach, the potential sanctions are onerous - companies may be fined up to 4% of their annual worldwide turnover or up to 20 million Euros, whichever is greater. Furthermore, companies will be required to notify their country’s supervisory authority without delay (and where feasible within 72 hours of having become aware of a breach). One of the main changes that the regulation will introduce is the concept of the right to erasure, which will allow individuals to request the removal of their data under certain circumstances, and rights on data portability. Because the regulation is designed to protect the data rights of EU citizens, once a company holds the data of an EU citizen – even if it itself is not based within the EU - then it will need to comply with the new rules. For example U.S. companies also will be impacted by the General Data Protection Regulation (GDPR) and will need to be up to speed with the law and how it concerns the EU data they hold.
What are companies doing to get ready for the new rules?
We have been seeing increased interest in data encryption especially, for example, when data is transmitted from one office to another. We also are seeing increased use of separate data centres, and more interest in the physical security of places where personal data are stored. In addition, clients are asking questions about the way data is accessed – and whether that access could or should be restricted. Companies also are reviewing the security access to IT systems and are strengthening, for example, their login access policies as well as their virtual private networks access.
Is there increased interest in cyber coverage?
The impact of the regulation already is being felt, and companies are more and more interested in buying coverage for their cyber risks. Until a couple of years ago, many companies were simply investigating how much cyber coverage would cost. But in the past 18 months, we have been receiving many more requests for cyber programs. This increased interest is due in part to the upcoming GDPR but also to recent high-profile cyber-attacks which have alerted many clients to the potential of this coverage. The European market is beginning to catch up with the U.S. market where cyber insurance has been on offer for more than 15 years and where breach reporting requirements have, up until now, been stricter. The crisis management element of the cyber policy is the area that interests many clients the most. Cyber coverage allows clients to benefit from the expertise of IT forensics or legal counsellors when there is a breach or in the case of cyber extortion, for example. This coverage is usually granted with no sublimit or deductible within a pre-approved period of time.
What do clients need to be aware of when considering cyber coverage?
The key word here is education: brokers need to spend time with clients to discuss the risks and on what it is at stake. They need to help them understand their exposure, regardless of the size or the activity of the company. Cyber coverage can be a standalone policy or an extension to existing policies. In many cases, standalone coverage is likely to be more suitable so that policy sublimits are not exhausted.
About the author
Sergio Pierro is a Professional Indemnity Underwriter at XL Catlin. He can be reached at email@example.com