Europe’s strict new online privacy law, the General Data Protection Regulation (GDPR), went into effect on May 25, tightening the laws over what companies can do with people’s data. The changes aim to give Internet users more control over what’s collected and shared about them, punishing companies that don’t comply. Under the terms of GDPR, not only will organizations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it will be obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners. Companies that don’t comply with GDPR can be penalized up to 20 million euros ($24 million) or 4% of their global revenue, whichever is greater.
The new law requires companies to be transparent about how your data is handled, and to get your permission before starting to use it. It raises the legal bar in that businesses must be clear when targeting ads based on personal information like one’s relationship status, job or education, or the use of websites and apps.
Personal data under the GDPR is any data that can identify a person – your name, phone number, username, IP address or location data. It also includes sensitive personal data such as genetic data, and biometric data, which could be processed to uniquely identify an individual.
Individuals under the new law will have to opt in for a company to use their data, which means there will be fewer pre-selected boxes and the use of clear and simple language. In addition, individuals can ask companies what information they are storing about them, and then request that it be deleted. This applies not just to tech companies, but also to banks, retailers, grocery stores or any other organization storing personal information. Organizations are also required to notify the appropriate national bodies as soon as possible in the event of a breach in order to ensure EU citizens can take appropriate measures to prevent their data from being abused.
The new legislation also has a huge effect on businesses outside Europe, including the United States. The GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU that offer goods or services to customers or businesses in the EU. That ultimately means that almost every major corporation in the world must be GDPR-compliant.
Another effect of the GDPR is a boost in the sale of Cyber insurance in Europe. According to a recent article in Reuters, insurers say Europe’s directive, together with major cyber attacks like last year’s WannaCry and NotPetya viruses, is driving demand on the continent for Cyber insurance. Cyber cover can pay for anything from the repair of IT systems after a data breach, to compensation for lost business, notification costs, legal costs and even for a public relations firm to rehabilitate damaged reputations.
RPS has been in the forefront in offering Cyber insurance solutions to a broad spectrum of organizations across the country. For more information about our Cyber products, give us a call.