Many companies are preparing themselves for the EU’s new data protection regulation, but others remain ignorant of the requirements

Monte Carlo harbour

Awareness is still patchy among companies about the requirements for the EU’s incoming General Data Protection Regulation (GDPR).

The costs – and not just the fines – could be high for those firms still ignorant of the dangers once the legislation is enforceable by EU regulators from 25 May 2018.

That was the message from Leslie Clement, consultant, Aon Risk Solutions, speaking to StrategicRISK at the FERMA Forum 2017 event for European risk managers, held in Monte Carlo this week.

Fines for non-compliance with the EU GDPR will increase to as much as €20m or, if higher, to 4% of an organisation’s annual global turnover.

“But the negative media exposure can be much more expensive than just the fine. You have to quickly communicate with your clients,” said Clement.

There should be a focus on preventative and up-front services, with insurance payments representing “the last resort” of protection, he explained.

“Because 100% security is impossible – human error can always occur,” said Clement.

He suggested that through being able to demonstrate that strong security, as well as crisis plans and communications plans have been put in place, will help when explaining to the regulator explaining how a breach still took place.

“If you can communicate well to your customers and to the authorities, that is going to result in less damage than if you had no plans in place and have less idea where the risk arose from,” said Clement.

Dutch authorities did not wait for the rest of the EU and implemented their own GDPR regime almost two years ago.

Since January 2016, a new Data Protection Act in the Netherlands became effective. It obliges data controllers to notify the Data Protection Authority (DPA) if a data security breach takes place, and authorises the DPA to impose direct fines of up to €820,000 for violations.

Regulators are under pressure, with varied staffing across EU jurisdictions, he suggested, following up on perhaps only 1% of data breaches.

Questions remain unanswered about whether GDPR fines will be insurable in some jurisdictions but not others, depending on how authorities decide to proceed with breach investigations.

Penalties in the Netherlands have been deemed insurable. “Those fines are insurable in the Netherlands, but not in Belgium or the UK,” said Clement.

Article 29 of GDPR creates a mechanism for the various member state regulators to come together to decide on how to supervise GDPR across European borders.

A supervisory board allows regulators to decide how to investigate and punish a data breach. However, how this works in practice is still to be seen.

He suggested many firms still lack crucial awareness about upcoming GDPR enforcement.

“We’ve talked to several clients at FERMA about the readiness of companies. They know this is coming. However, a lot of companies still don’t understand GDPR’s requirements. It’s often because there is no single owner of the privacy and security issue within the company,” said Clement.

“You need legal, HR, IT, marketing and communications to come together with the risk and compliance functions,” he added.

Under GDPR rules, organisations should only collect personal data needed to fulfil specific, documented purposes, and where there is a permitted basis under GDPR for the collection.

“Public authorities, organisations processing large amounts of special categories of data, or whose core activities involve the regular and systematic monitoring of individuals, must appoint a data protection officer with expert knowledge,” Aon noted in a report published earlier this year.

“The regulation introduces the concept of accountability, requiring organisations to embed privacy controls into their operations and mandatory privacy-risk impact assessments for any new project likely to result in a high risk to individuals’ privacy,” said the report.

GDPR also introduces a 72-hour notification requirement for all personal data breaches, except those which are unlikely to pose a risk to individuals. In the case of serious incidents, there will also be a duty to notify the affected individuals of the breach,” continued the report.