general data protection regulation
Property Casualty

The New Regulation That’s Forcing Companies to Up Their Security Game

Miles Weis
Miles Weis
AVP, Executive Risk and Cyber Practice Leader

You may have recently heard rumblings about a regulation called the “General Data Protection Regulation (GDPR).” It officially went into effect just over two months ago on May 25, 2018. This regulation is a set of rules governing data protection across the European Union (EU). It was first introduced in 2016 to replace a directive that had been in place since 1995. Don’t worry if you missed all those dates, I’m not going to quiz you. I’m just trying to establish some background on this. You can now breathe easy.

Anyway, the rule applies to organizations operating within the EU…but that’s not all. It also applies to organizations offering goods or services to individuals in the EU. As just one example, say you have a company in the U.S. that sells clothing all over the world…to include in the EU. That company is impacted by the GDPR.

If you’re now scratching your head thinking this is complicated…you aren’t alone. Add to that the fact that the GDPR imposes new significant fines — which can be up to 4 percent of annual revenue or 20M Euros, whichever is higher — for noncompliance with key provisions of the GDPR…well, to say it’s causing companies some heartburn might be an understatement. It is a good thing, though…I promise.

Here’s why. The GDPR will ultimately make it better for individual consumers to do business in the EU and elsewhere. The GDPR imposes a new standard for protecting individual data, a standard which is much higher than others we have seen before. The new regulation expands the definition of personal data to include items such as IP addresses, cookie data, and RFID tags. Basically, the regulation is taking aim at cyber criminals by enforcing companies in the EU or those that do business with EU customers to up their security game.

Now, companies doing business and dealing with personal information must proceed with extreme caution, because, as always, with increased regulation and increased awareness comes increased exposure.

A good question I think we all may be wondering right now is, “Is GDPR foreshadowing things to come in the U.S.?” Possibly. All 50 U.S. states have now adopted privacy and notification policies, with Alabama and New Mexico the last to implement said policies in 2018. The clearer answer really is that these regulations aren’t going to go away, so all companies, regardless of whether they do business overseas or not, really need to ensure they’re protecting the personal data and privacy of all consumers.

Holmes Murphy has many clients that do business internationally and potentially face exposures to GDPR. If you’re one of them and aren’t sure if you’ve taken all the proper precautions or simply have some questions, don’t hesitate to reach out to us!

Explore more from Holmes Murphy