In May 2018, the European Union launched the General Data Protection Regulation (GDPR): a new directive with the ability to fine a company up to 4% of global revenues for failing to safeguard sensitive client data.

But you don’t have European operations, so you don’t need to worry, right? Well, not exactly. If you have customers that live in the EU, or business partners that operate in the EU, the demands of the GDPR may have already landed on your desk.  And even if they haven’t, this type of regulation is likely to make its way across the Atlantic in the near future. It’s in your best interests to get on board with the new rules.

What’s changed and what’s in store?

The first 100 days since the GDPR came into effect were unremarkable, despite a noticeable increase in complaints about the misuse of personal data.  However, almost immediately after the 100 day mark, British Airways reported a massive breach of customer data. Initial reports from RiskIQ named a group of hackers known as “Magecart” as the suspected perpetrators behind last week’s attack. We still don’t know the extent of BA’s culpability in the breach that saw more than 300,000 accounts compromised.

Regardless of who is to blame, in 2018 we know that even if an organization takes all proper precautions, a data breach is nothing short of inevitable.  Still, in direct contrast to the many cautionary tales out there of what NOT to do when it happens to you, BA took all of the right steps to restore customer trust. They informed customers immediately, confirmed that passport data was safe, outlined action plans, brought in authorities, and alerted the regulators.

Crisis averted? No. The next day close to CAD 900 million was wiped off the market value of BA’s parent company.  Why?  If BA is found to be out of compliance with the demanding protection laws of the EU’s GDPR, then the UK regulator could fine BA up to 4% of global revenues – that’s a fine of over CAD 1.5 billion. What does it really mean to be compliant with the GDPR?

The GDPR mandates that companies must:

1. Obtain EXPLICIT consent from customers when processing or collecting sensitive personal information. This is mandatory.  Customers must opt-in after seeing a statement that defines the data to be collected, how it is used, how long it will be stored as well as any associated risks.  Firms must re-acquire consent whenever they repurpose the collected data. There is no grandfathering in, and customers can withdraw consent at any time.
2. Respect the right to be forgotten. If a customer withdraws consent, they have the right to request erasure of any personal information that’s been collected. The challenge lies in determining where all of the customer’s information resides, how it can be deleted, and whether you have shared this information with third parties. If yes, you will have to confirm that any third parties have deleted the information as well.
3. Conduct Data Protection Impact Assessments before undertaking any project that places personal data in permanent storage. The purpose of the assessment is to confirm compliance with privacy regulations, determine the impact of using the personal information, and more.
4. Employ a Data Protection Officer if the companies make use of customer personal data and have over 15 employees.
5. Report data breaches within 72 hours of discovery.
6. Deploy data encryption and other technical precautions when collecting and processing sensitive personal information.

Your next steps:

1. If you have operations in the EU, or customers that live in the EU, act quickly to comply with the GDPR or you could face fines.
2. If you partner with firms in the EU, and have access to sensitive data, reach out so that you have adequate time to plan and implement safeguards and procedures. EU firms are already placing pressure on Canadian partners to become GDPR-compliant.
3. If you believe that you have a material level of exposure, have a third party specialty firm audit your company for GDPR compliance. Self-audits are often not adequate and not defensible in court. In addition, you could find yourself uninsurable for this risk unless you can demonstrate that you have had a third party audit.
4. If you have operations or clients in Canada, North America or Asia – dig the well before you are thirsty:

• • Prepare to report a data breach quickly. The CURRENT law in Canada states that data breaches must be reported as quickly as possible and without any unreasonable delay.
  • Line up the legal and public relations support, and plan on how to keep your business running as you deal with the crisis.
  • Ensure that you will have adequate funds in place for any damages.
  • Know that some version of GDPR is coming to a country near you.

The good news is that many customers are willing to forgive data breaches when a company is contrite, communicates, and acts to reduce the immediate customer impact and likelihood of recurrence.  It’s possible to minimize reputational damage. The bad news? Future regulations may not be so forgiving.

Need guidance? We will help you plan and protect. We can share what steps others in your industry are taking and advise you based on your unique operations. Our goal is to build resilient organizations.

We are PROLINK–Canada’s Insurance Connection.