Search Hill Dickinson

Cyber insurance update: The long anticipated General Data Protection Regulation approved by European Parliament

Details

For several years uncertainty prevailed over whether the European Parliament would ever pass the General Data Protection Regulation. The wait is over. The Regulation has now been approved by MEPs. Andrew Hill and Andrew Schütte review.

The headlines

The final version of the Regulation has not yet been published but, according to the European Parliament’s press release, the headline provisions are as follows:

  • a data subject has a right to be forgotten;
  • a requirement for ‘clear and affirmative consent’ to the processing of personal data by the data subject;
  • a right for data subjects to transfer their personal data to another service provider;
  • the right for data subjects to know when their data has been hacked;
  • a requirement in privacy policies for clear and understandable language; and
  • stronger enforcement and fines up to 4% of a company’s total worldwide annual turnover, as a deterrent for breaking the rules.

Once the Regulation has been published in the EU Official Journal, its provisions will be directly applicable in all member states two years after the date of publication.

Implications

The key provisions that were expected to be included within the Regulation are all there, including:

(1) mandatory notification requirements (although how soon notification is required after the discovery of the breach remains to be seen);

(2) the right to be forgotten; and

(3) substantial fines for failing to comply with the provisions of the Regulation.

The mandatory notification requirements in particular are likely to bring Europe more in line with the US, where organisations have been required to notify data breaches in most states for several years. The costs associated with the notification exercise are invariably considerable and insurance has played an integral role in providing solutions following a suspected or actual data breach.

From a UK perspective the prospect of potential Brexit means the impact of this development remains uncertain. For entities based in Europe, or with operations in Europe, however, the countdown to compliance with the new rules starts now.