In 2018 (estimated launch date is the 25 May) the introduction of GDPR will substantially change the way cyber regulation operates in Europe. GDPR is a significant piece of EU legislation that will bring together all the different data protection laws that are currently active within Europe and ensure that there will be one, generic piece of legislation which will be designed with the technological developments of the future in mind.
Going forward in 2018, companies will be required to report any security breaches to their regulator within 72 hours of the incident (where feasible). In high risk cases firms will be held responsible when it comes to informing the individuals whose data has been hacked.
In the recent “Facing the cyber risk challenge, 20 September 2016” survey carried out by Lloyds of London it showed that 18% of respondents from the UK were either unaware of the implementation of GDPR or were unsure if their firm understood the changes which need to be made to regulation in relation to the changes in regulation.
Under GDPR companies will be legally liable for any data processed. Firms will need to ensure that relevant assessments have taken place so that all necessary regulatory procedures are set up in advance of the new GDPR regulations.
What will the penalties be for non compliance of GDPR?
There are two sanctions which will be set up based on the level of infringement. Companies could face significant penalties dependent on the effect of the breach or offence itself.
Some breaches could see fines of up to €20m or 4% of global annual turnover for the preceding financial year (dependent on which is the larger figure). These fines may include breaches of:
• Basic principles of processing data
• International transfers
• Not complying with orders imposed by supervisory authorities
For alternative breaches, fines of €10m or 2% of global annual turnover could be imposed. Examples of such breaches will be due to:
• Failing to maintain records
• Not reporting breaches
• Failing to subcontract correctly
Companies will need to re-evaluate their current cyber crime policies before GDPR regulatory measures are enforced to ensure that they have the correct protection in place and to avoid any fines which could result in financially damaging circumstances. Insurance brokers and IT network providers should be the first points of call when it comes to ensuring that your firm has the necessary regulatory measures in place for the launch of GDPR into Europe.