Blog

Should Your Business Be Preparing for GDPR? (Spoiler Alert: Yes)

By Robert H. Rosenzweig, National Cyber Risk Practice Leader


Should Your Business Be Preparing for GDPR? (Spoiler Alert: Yes)

Since I first put pen to paper on this blog just last week, three more major hacks have hit the headlines – The Hudson’s Bay Company, Orbitz and Under Armour Already in 2018, we have seen several high-profile security breaches. Bad news for sure, though the good news is that change is in the works. Beginning in May, the European Union’s General Data Protection Regulation (GDPR) will officially go into effect.

GDPR will require businesses to protect the personal data and privacy of citizens in the EU for transactions that occur within EU member states. For example, companies will need the same level of protection for an individual’s IP address as they do for name, address and Social Security number.

At a high-level, the implementation of GDPR means that any U.S.-based business collecting data on citizens in the EU will be held to these higher standards of security and are vulnerable to new, costly sanctions for non-compliance. As such, it is imperative to ensure that insurance policies are structured appropriately to provide coverage for legal fees, fines and penalties.

Any businesses that will be affected by the changes should get in touch with their broker as soon as possible to tackle any policy nuances GDPR may bring. For instance, as it stands today, some carriers only provide coverage for regulatory inquiries when a business has had a data security incident. Under GDPR, regulators are likely to conduct proactive investigations – before a breach happens. If they were to find any deficiencies or areas of non-compliance in the system, you’d potentially be left exposed for those costs.

An important consideration right now for any small, medium or large business – regardless of whether it needs to comply with GDPR – is employee training. Time and time again the biggest vulnerability are people, not the technology. Work with your risk manager to put together drills and an incident response plan. Neither you nor your bottom line will be sorry.

To get your business prepared for GDPR, reach out today: cyber@risk-strategies.com.