A change of rules while affect UK companies
2018 will see the introduction on the EU’s General Data Protection Regulation (GDPR), which will put the onus firmly on companies to build data protection and privacy into their operations. The regulation recognises that protecting the privacy of individuals has become increasingly important as awareness of the risks, and the volume of personal data processed, both continue to increase. Companies will face draconian penalties for non-compliance with fines up to 4% of global turnover, or €20 million, for the mishandling of data breaches.
Although the UK is now set to leave the EU the process of Brexit is unlikely to be complete by the time GDPR is adopted in May 2018. And even when Brexit does finally happen, the consensus amongst cyber risks experts is that UK companies will still have to comply with new EU regulations for a number of reasons.
If the UK does exit before the introduction of GDPR then the UK Data Protection Act, as domestic legislation, will continue to apply. However if exit occurs afterwards the GDPR will be directly applicable until the date of formal exit and new UK legislation will be needed to address the discretionary elements that the GDPR leaves up to Member States.
“In either case, it has been widely anticipated that from exit the UK will adopt a data protection law, which is broadly similar to the GDPR. This would ensure the UK is considered “adequate” for the purposes of data exports from the EU. If the UK joins the EEA, it would be required to adopt the GDPR,” says a report from law firm Allen & Overy.
“From a practical point of view, many multinational companies also find it more convenient to put in place policies and procedures that are consistent across the countries in which they operate and may already comply with many aspects of the GDPR as a matter of good practice. If the UK were to adopt less rigorous standards, this would be unlikely to affect their approach to compliance in the UK. It is also worth remembering that the reach of the GDPR will catch UK companies that offer products and services to, or monitor, data subjects within the EU,” says the Allen & Overy report.
In the short term, data protection legislation in the UK will remain unaltered. In the long term, things are less certain. There will be particular concern among businesses to ensure they can continue to transfer personal data freely around the EU, without the burden of alternative transfer mechanisms such as standard contractual clauses.
Sarah Steven, Jardine Lloyd Thompson’s Head of Cyber, Technology, and Media, says: “One result of the passing of the regulation will be increased attention on data privacy rights: the European Commission is promising public awareness campaigns to publicise the new rules.
“If businesses have not already started to prepare, they also face a significant exercise: They will need to review data protection policies; check their technological defences (including encryption); and map out their data exchanges within their organisation and with third parties to examine their vulnerabilities.”
The GDPR make data protection a board-level issue, and a big part of the exercise must also be to revisit the requirements for cyber insurance. This is likely to lead to an increased demand from companies wanting to insure themselves against the risk of a breach.
Steven says: “The introduction of mandatory notification of individuals when their data is breached drove the market for cyber insurance in the US; it’s long been expected introduction of the same in Europe under the GDPR will have a similar effect here. If businesses are considering cyber insurance, they need to start now.
One reason for this is that first time cyber insurance purchasers will find the risk assessment and buying process quite involved, which often includes board level attention on risk managers who will want to make sure they have done appropriate due diligence on the new cover.
Another factor is that because most new cyber insurance policies are offered on a retro-inception basis, businesses will only be covered for notification costs of data breaches occurring after cover is in place.
So, prior breaches, even those that are only discovered subsequently, will not usually be covered. Some insurers do offer additional retroactive coverage, and insureds will have to decide whether or not that is worth the additional premium.
As cyber breaches have often stayed undiscovered for long periods in the past businesses face the prospect of vulnerabilities coming to light only after only be identified after the new regulation is in place.
“Companies operating in Europe will now experience much more expensive data breaches, simply due to mandatory notification”
Steven says: “Companies operating in Europe will now experience much more expensive data breaches, simply due to mandatory notification. Many cyber programmes offer broad coverage for incident response, but it’s critical that the coverage specifications are aligned with the organisation’s incident response plan.
“Since insurability of such fines is largely untested, additional certainty may be achieved by wrapping a Bermuda-based regulatory DIC layer around a European company’s cyber tower.”