April 23, 2018
Europe’s New Data Breach Requirements
by John Barchie
U.S.-based businesses that have operations in the E.U. or that have E.U. citizens as customers will soon face stiff new requirements.
The number of foreigners purchasing property in the U.S. surged between March 2016 and March 2017, according to the National Association of Realtors. The association said foreigners bought 284,455 properties, about a third more than a year earlier. And, similar to previous years, a larger percentage of buyers, especially in states like Florida and Arizona, were European citizens. European home buyers who insure their properties through U.S. companies could require those businesses to upgrade their data protection efforts soon.
As of May 25, U.S.-based businesses that have operations in the European Union (EU) or that have customers who are citizens of E.U. nations will have new requirements to meet regarding data protection. This is when the new General Data Protection Regulation (GDPR) takes effect. Any companies not prepared to meet the new regulations that experience a data breach could face massive fines.
GDPR was designed to better protect E.U. citizen data. Standards vary based on where the data originates, but generally any information like name, address, credit card number, etc. is covered. In the domestic U.S., protected data is defined as personally identifying information (PII). As defined by GDPR, for an E.U. citizen it is known as personal data. Failure to protect the PII or personal data to the right standard could bring a hefty bill or, on consistent failure, even an order to cease business in E.U. countries.
See also: VPNs: How to Prevent a Data Breach
Current U.S.-based data privacy regulations require companies to notify customers if a data breach occurs, but in the U.S. there can be a significant time delay between the breach and the notification letter; not so with GDPR. GDPR requires that supervisory authorities be notified within 72 hours, even while a breach is still being investigated. Failure to report within 72 hours could lead to significant fines. Maximum fines could be $26 million, or 4% of global gross revenue, whichever is greater.
Insurance companies selling plans to E.U. citizens purchasing homes, rental properties or commercial properties in the U.S. could be affected by GDPR because they gather personal data on applications and store data on customers. If a hacker is able to breach the insurance company’s systems and gain access to E.U. citizen data, the company would be required to notify GDPR supervisory authorities and prove that it met all GDPR requirements. Failure to cooperate with an investigation or to meet GDPR requirements could lead to fines or worse.
The first step toward compliance for any company is determining the need for and, if necessary, assigning a data protection officer (DPO). A company will be required to have a DPO if it possesses large amounts of data covered by GDPR. The DPO must be available and involved in any events where there is a possibility of a loss of GDPR-covered data. The DPO will be the point person for any GDPR issue with the affected persons and the supervisory authority. Obviously, because the DPO will be instrumental in proving a company’s compliance with GDPR, this individual needs to know the regulations and the company’s security protocols inside and out, backward and forward. If a company is not required to have a DPO, it should still have a plan in place for who it will call if the supervisory authority opens an investigation.
Additionally, any personal data that is lawfully received, stored or processed by a company needs to be encrypted. This means completely encrypted at rest and in transit, complete end-to-end encryption. GDPR does not allow for lenience regarding outdated software or new implementations that are being investigated for deployment.
Companies will also now be required to complete data protection assessments and privacy impact assessments. They will be expected to increase visibility into what level of impact a breach might have for customers and the company, if one occurs. And, all efforts made to comply with GDPR need to be documented so they can be given to a supervisory authority upon request. The best source of information on the regulation requirements is gdpr-info.eu.
See also: Firms Ally to Respond to Data Breaches
Once GDPR takes effect, if a company experiences a breach or is contacted by a GDPR supervisory authority the best course of action is to show an attitude of compliance by offering complete support for the investigation. Then, contact the legal team. It is important to remember that complying with GDPR can be complex. It takes some time to update systems and processes to the level of security required by the new regulations. It can also be costly, and disruptive, but the protection of data is becoming paramount in the new business paradigm. For GDPR, the cost of compliance is geared to be less than the cost of sanctions.