If you do business in Europe, by now you most surely have heard of the General Data Protection Regulation.
Well, batten down the hatches, folks, because this new set of internet privacy rules – which go into effect May 25 – applies to any business that handles the personal data of European residents.
And the sanctions are onerous, with penalties as high as 4 percent of a company’s global revenue or 20 million euros, whichever is higher.
The rules hold companies of all sizes to account. They cover almost anything that can be linked to an individual: addresses, credit card numbers, travel records, religion, web search history, computer ID codes, biometric data, and more.
According to estimates from the consultants at Ernst & Young, the world’s 500 biggest corporations expect to spend nearly $8 billion to comply with GDPR.
Many companies outside Europe are only now awakening to the fact that GDPR affects them.
One of the biggest changes companies will now be expected to incorporate is in their conditions for consent. Companies will no longer be able to use long illegible terms and conditions full of legalese in their consent forms. Instead, consent must be obtained using clear and plain language. It also must be as easy for customers to withdraw consent as it is to give it.
Larger businesses must keep records of the data they hold, why they have it, how long they’ll keep it, and how they protect it.
Under the GDPR, breach notification will become mandatory within 72 hours of first having become aware of the breach.
So, beyond making sure you have the right IT talent on hand to help ensure you’re in compliance, what else can you do to prepare for GDPR?
Well, the immediate and most common-sense answer is to make sure you have a standalone cyber insurance policy in place.
Why a separate policy? Because traditional commercial general liability and property insurance policies typically exclude cyber risks from their terms and many cyber addendums being added to business owner’s policies come up woefully short.
The best policies do more than protect your company against an invasion of privacy rules violation claims. They’ll provide you with the help you need to respond to any regulatory actions that follow a data breach or for failing to disclose the breach.
You can also obtain coverage that provides you with immediate technical support, no matter what time of day or night. This is the kind of help that goes to work on the restoration and recovery process as soon as possible.
A robust cyber policy also helps you notify affected customers, handle crisis communication and determine exactly what happened.
Better yet, this sort of coverage will pay you your profits lost and costs incurred because of the breach.
Cyber insurance isn’t for large companies only. Fifty-five percent of small businesses have experienced a data breach, while 53% have had multiple breaches.
The unfortunate fact is that many U.S. companies still don’t have cyber coverage. The healthcare industry is particularly behind on fully protecting itself with cyber insurance.
Part of the problem is no doubt related to some confusion in the marketplace over competing policies and pricing. But the risks of a cyber hack are growing, and the typical cost of a breach for businesses with fewer than 250 employees is already about $200,000 – a figure that doesn’t consider the penalties that are part of the new GDPR’s privacy rules.
Oh, and here’s one last statistic to consider: Sixty percent of small companies go out of business within six months of a data breach.
Jeff Parent is an Insurance Advisor at CCIG. Reach him at email@example.com or at 720-330-7918.
CCIG is a Denver-area insurance brokerage with the full-service capabilities of a national brokerage. We do more than make sure you have the right policy. We also help you manage your long-term cost of insurance with our risk and claims management expertise and a commitment to service excellence.