Europe’s new data protection laws take effect today

Marsh is reminding companies that the General Data Protection Regulation (GDPR) comes into force on 24 May 2016.

The new data protection law for Europe, which is being introduced more than four years since the first draft was published in January 2012, will significantly increase the extra-territorial scope and the size of fines that can be levied against an organisation in the event of a cyber breach.

To mark the launch, the insurance broking and risk advisory group is publishing its latest Adviser, entitled ‘New Data Protection Law in Europe’.

To accommodate the GDPR’s expanded privacy rights obligations for the processing of personal information, companies will need to:

• Provide greater transparency and notice about why individuals’ personal information is used or processed.
• Obtain proof of consent to such processing by “clear affirmative action” of individuals.
• Create ways to allow individuals to exercise their “right to be forgotten” and data portability.
• Conduct privacy impact assessments, appoint data protection officers, and develop local capabilities for responding to data breaches.
• Demonstrate compliance with the GDPR through documented controls and audits.

Marsh’s Adviser also highlights the insurance implications of the new regulation, including:

• The financial consequences of these heightened obligations are likely to see an upwards shift in the loss estimates attached to any data protection items in the company’s risk register, potentially breaching acceptable risk tolerances.
• This adjustment is likely to lead to a re-examination of the adequacy of insurance arrangements. Organisations should review the effectiveness of their coverage, the sufficiency of any applicable indemnity limits, as well as the availability of enhanced insurance protection if existing arrangements fall short of requirements.


Related reading