What You Need to Know About GDPR

General Data Protection Regulation

Have you noticed an increase in updated privacy policy emails in your inbox? It may have something to do with a new compliance requirement known as General Data Protection Regulation or GDPR.

Do you know if you are impacted directly or need to change operations to meet requirements of this new legislation? Here’s a brief overview to help you identify the requirements for your own organization:

  1. What are the basics of the GDPR?
    The goal of legislators was to provide European Union (EU) citizens more control over their personal data. As such, the GDPR increases the responsibility of any organization or business to protect the personal data of people living and working in the EU.Through the GDPR, individuals are given the right to understand how their information is being used.  In addition, each person must be able to access, correct, erase, restrict processing, object to or maintain portability of their data. The ability to manage automated decision making or auto-processing options must also be provided.
  1. Who is impacted?
    Any organization that operates in the EU or manages EU-based data.
  1. How long do you have to comply?
    The new regulation went live May 25, so the clock for compliance has already started.
  1. Aren’t standard cyber-security measures found in the U.S. sufficient to cover GDPR requirements?
    It’s unlikely that existing security measures will be enough to satisfy GDPR requirements. This is primarily because the GDPR has a much broader definition of “private information.”While U.S. data protection rules are generally focused on name, identification numbers, medical and financial information, the GDPR defines any type of data that can reveal an individual’s identity as personal data and this encompasses anything specific to a person’s physical, physiological, genetic, mental, economic, cultural or social identity. Examples include:
  • IP addresses
  • Internet cookies
  • Email addresses
  • Any location information
  • Medical data, including genetic and biometric data

This expanded range of at-risk data means businesses need stricter review of their existing data management procedures to ensure compliance.

  1. What happens to those who violate the GDPR?
    The financial consequences can be considerable, with fines reaching upwards of €20 million (almost $25 million) or 4 percent of a company’s global annual revenue.
  1. If my organization’s compliance is required, what next?
    MJ has a summary of the GDPR primary elements to help you plan next steps. To fulfill the GDPR, you will need to address:
  • Requirements for controllers and processors
  • Lawful bases and consent requirements
  • Mandatory data breach notifications
  • Right to erase data
  • Potential requirement to name a data protection officer

MJ is also ready to help you build and execute a comprehensive GDPR compliance plan as well as an overall cyber risk management program. If you want more information or simply have more specific questions about any aspect of cyber security, please contact Carol Scully at 317-805-7500 or carol.scully@mjinsurance.com.