The EU General Data Protection Regulation
In May this year the EU General Data Protection Regulation (GDPR) was published which will affect all Jersey businesses who hold data of EU citizens. Cybercrime is increasing and this new EU Directive standardises the reporting requirements that have previously permitted many cyber attacks to go unreported.
The new law does not come into force until May 2018 (to allow member states, supervisory bodies and entities to prepare for the changes) but those companies affected by the regulations are advised to consider the implications now. The consequences are dramatic with the ability to fine a business for a data breach up to EUR20 million or 4% of total worldwide turnover (whichever is the greater). These risks are insurable.
What is the GDPR?
Previously each EU member state had its own data protection rules but the GDPR unifies the law across the Union, as well as, significantly expanding the obligations of companies that hold or process personal data. It focusses on two key areas; data privacy and control and security.
How does this EU law affect us?
The new EU law naturally applies to EU resident companies but its authority also stretches to include the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union. This obviously therefore includes any Jersey business holding data on EU citizens connected with any Jersey trust structure, company or investment fund.
It is also worth noting that the Office of the Information Commissioner in Jersey has stated that local legislation will also follow on and be implemented in the Island by May 2018.
What are the consequences?
A main element of the GDPR concerns any breaches of security of data held. Cyber attacks are increasing at an alarming rate with many businesses making the commercial decision not to report they have been affected by cybercrime. The new EU law obliges companies to notify the authorities of all breaches that put individuals at risk (within 72 hours) and, in high cases, to also notify the individuals whose data has been hacked.
For Jersey regulated businesses, any data breach may require notification to the JFSC. The GDPR penalties for non-compliance depend on the nature and effect of the breach or offence with a tiered approach to penalties for breaches, with fines of EUR20m or 4% of turnover for the most serious.
How can I protect our business?
The retention, control and security of all data held by a Jersey practitioner should be a matter of risk assessment and management by the Board of directors, but insurance protection is available should a data breach occur.
The insurance market has developed a wide range of policy choices including both first party cover for a firms own costs after a cyber attack, as well as third party cover for all liabilities in relation to the cyber event (whether an attack or a data breach) with cover for damages, invasion of privacy, and defamation.
What do I need to do?
If you have any concerns over the implications of the new law and your cyber exposures then get in touch with our team, click here for contact details. We specialise in advising the professional sector on their risk exposures and insurance solutions.