It seems as if each day that passes we are hearing about another cyber-attack, or some sort of hacking operation going on having to do with our personal information being stolen. This has become a real important issue for a lot of citizens – and organizations – that never thought it would be a problem for them. Many of us have probably heard about the General Data Protection Regulation (GDPR) in the news lately, but not looked into what it actually was or meant. The GDPR becoming effective earlier this year is a big deal; not only for those in Europe, but for those of us in the U.S. as well. The GDPR is the new regulation put into effect by the European Union (EU) that regulates the processing by a company or organization, or any individual of personal data relating to individuals in the EU.
One might read this article and ask, “Why does this concern me if it is an EU regulation?” Which is a valid question, but one I will answer. The passing of the GDPR is very important to individuals and organizations the U.S. as well, as it will start to become the new “norm” of laws regarding personal data as it pertains to people located in the EU, but not necessarily based out of the EU.
Already, California has enacted their own privacy law, the California Consumer Privacy Act of 2019 (CCPA). The CCPA is actually broader and mandates several additional compliance requirements not imposed by the GDPR. These regulations put forth by both the GDPR and CCPA grant individuals the right to access, delete, transfer and object to the sale of their personal information.
Being in the insurance industry and dealing a lot with cyber liability policies (and claims), I feel that the passing of GDPR and CCPA in the U.S. is just the beginning of the onslaught of more strict regulations, enforcement and hefty penalties we will begin to see take place in our country. In 2017 alone, take a look at these high-profile data breaches:
- PayPal – 1,600,000 accounts hacked;
- NSA data breach – 100GB of top secret data;
- California voter personal information – 19,264,123 records breached;
- Uber – paid hackers to delete stolen records of 57 million individuals and;
- Equifax data breach of 147,900,000 individuals.
These are just some of the breaches! The real question with the GDPR is – who does this affect? The answer is simple and direct; the GDPR applies to not only organizations located within the EU , but it also apples to any location outside of the EU if they offer goods or services to EU individuals. In other words, regardless of your location, if you are processing or holding the personal data of individuals residing in the European Union, the GDPR applies to you. It is important to address the fact that penalties for non-compliance are stiff. In fact, organizations can be fined up to 4% of their annual global turnover. Already, lawsuits against Facebook (€3.9 billion) and Google (€3.7 billion) have been filed since the enforcement of GDPR.
This is definitely something that we in the association world will want to pay close attention to and make sure we are up to speed on. I think we will start to see more requirements for organizations to take the necessary steps for them to be compliant.
So the real question is, do you now or have you ever captured any personal data of an individual in the EU?