Collecting personal data from EU residents

Having a strong online presence is a necessity for any modern business. No matter what size you are or what industry you’re in, having the capability to communicate with customers and carry out transactions online is now customers’ standard expectation. While most businesses are now savvy to the threats posed by a cyber breach or hack, many may not be aware of the new European privacy regulations introduced in May 2018 that are creating a whole new set of risks for companies that do business in the EU, either physically, or online.

What is the General Data Protection Regulation?

The General Data Protection Regulation (GDPR) is a set of data protection rules for all companies that either (a) have an "establishment" in the European Union (EU) and "process" "personal data" in the context of the activities of that establishment, or (b) have no establishment in the EU but they process the personal data of individuals that are in the EU and such processing relates to (1) offering goods or services to an individual in the EU or (2) monitoring the behaviour of individuals, where that behaviour occurs in the EU (all words and phrases in quotations are defined in the GDPR). The rules aim to give consumers more control over their personal data, reshape the way organizations approach data privacy and create a more level playing field for businesses.

The GDPR has extra-jurisdictional effect and applies regardless of where a company is physically located. If your activities fall within (a) or (b) in the paragraph above, the GDPR applies to your company. In today’s connected marketplace, GDPR has a very wide reach.

GDPR requirements are, in many respects, more stringent and comprehensive than similar North American regulations, including the Personal Information Protection and Electronic Documents Act (Canada). The definition of personal data in the GDPR is broad, and the requirements around how to collect, use and disclose personal data in a compliant manner are, in general, more restrictive.

For example, under the GDPR a notification regarding most personal data breaches must be sent to the appropriate supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach. Further, in many cases, breach notifications must also be sent to affected individuals without undue delay.

What are the consequences of non-compliance?

Companies that fail to comply with the GDPR could face significant financial penalties of up to €20 million or 4% of annual global turnover (whichever is greater) for the most serious infringements, such as violating the Privacy by Design concepts or having insufficient customer consent to process personal data. Less serious breaches of the GDPR, including not having records in order and not notifying the supervising authority and data subject about a breach, could lead to a fine of up to €10 million or up to 2% of annual worldwide turnover (whichever is greater).

Companies that fail to comply with the GDPR could face significant financial penalties, the insurability of which remains a bit of a grey area in most jurisdictions. Although a robust cyber insurance policy may cover a company’s exposure to privacy breaches under GDPR, PIPEDA and other privacy legislation, criminal penalties are almost never insurable.

Can insurance provide protection for GDPR fines / penalties?

Companies that fail to comply with the GDPR could face significant financial penalties, the insurability of which remains a bit of a grey area in most jurisdictions. Although a robust cyber insurance policy may cover a company’s exposure to privacy breaches under GDPR, PIPEDA and other privacy legislation, criminal penalties are almost never insurable.

Getting a good understanding of your own GDPR related risks is an important first step. Reducing your risk of being fined can be achieved through GDPR compliance.

If GDPR applies to your company, here are some things to consider

What personal data are we collecting and where are we storing it? The first step for any company is to understand exactly what personal data it collects and uses, and where it physically stores that personal data, so that it can then develop a GDPR compliance program.

Why are we collecting the personal data? ­ Under GDPR, all companies are required to be able to explain how the personal data they collect will be used. Companies also need to be able to send that information to the individual if requested to do so.

Do we have adequate consent to collect, use and disclose personal data?  GDPR contains strict consent requirements regarding the collection, use and disclosure of any personal data. Companies should ensure that they‘re compliant with such consent requirements.

What cyber risks do we face? ­­­ In addition to the myriad of other consequences that will arise from a data breach, the GDPR contains strict notification requirements with respect to data breaches. This is just one more reason to proactively analyze your cyber weak spots and to take steps to mitigate any risks.

What do we do if the worst case scenario does happen?  Having a data breach response strategy in place is essential. Make sure your key team members know exactly what to do and who to call as soon as you’re aware of the breach. Every minute counts.

Compliance is crucial but can be challenging in the murky and often complex world of online business. Being insured adds another, much-needed, layer of security against data breaches, but as we’ve noted above, privacy regulations are adding a whole new set of risk factors. So, when it comes to speaking to your insurance broker about renewing your cyber insurance policy, you may want to add ‘GDPR risks’ to your list of questions.