The “Ten Commandments” of the General Data Protection Regulation (GDPR)

The “Ten Commandments” of the General Data Protection Regulation (GDPR)

May 21, 2018 Business Insurance and Risk Management, The Beacon Blog 0 Comments

On May 25, 2018, the General Data Protection Regulation (GDPR) goes into effect in the European Union. This is just days after the Jewish holiday of Shavuos commemorating the giving of the Ten Commandments. Coincidentally or not, the Locke Lord law firm has published a list of highlights of this regulation, which could be considered the “Ten Commandments” of the GDPR.

  1. The GDPR applies worldwide. Businesses that offer goods or services to individuals in the EU, or monitor them on the Internet, are subject to this regulation even if they have no physical or legal presence in the EU.
  2. Breach of the GDPR will cost you. Authorities have the power to levy fines up to 20 million euros or 4% of an organization’s gross worldwide revenue, whichever is greater. Individuals can also claim compensation.
  3. Data subjects have more rights. These include obtaining copies of their personal data, have it sent to another provider or object to its processing. There is also a “right to be forgotten” – a request to erase a person’s data.
  4. You must report data breaches. In most cases, authorities must be notified within 72 hours. In serious cases, potentially affected individuals must be notified.
  5. You must provide individuals with information about how their data is processed in a transparent, intelligible and easily accessible way.
  6. Subjects must consent to the processing of personal data. Separate consents are required for different activities. Individuals must be able to withdraw consent. Parental consent is required for children up to at least 13 and potentially 15.
  7. As a processor, you are liable for breaches. Data processors now have many of the same obligations as data controllers.
  8. If you process or monitor large amounts of data you need a data protection officer. DPOs must carry out a variety of functions, have suitable skills and report to upper management. An estimated 28,000 DPOs will be needed in Europe alone.
  9. If you engage in high-risk processing you must carry out a Privacy Impact Assessment.
  10. Organizations must have appropriate cybersecurity measures in place. This includes technical certification, organizational policies, and staff training.

About the Author

Harry Cylinder

Harry Cylinder, CPCU, ARM has spent nearly fifty years in the insurance industry, the majority of the time as a consultant. He has been employed by The Beacon Group of Companies since 2008, specializing in the review and analysis of property and casualty coverage forms. Mr. Cylinder has been reviewing policy forms as they have evolved over the past decades. In 2008 he published an article in the CPCU Journal which was the first description of cyber insurance coverage for a general insurance audience. Since that time he has regularly written on cyber and other topics for The Beacon Companies’ blog.