The European Union’s General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, replaced the Data Protection Directive 95/46/ec as the primary law regulating how companies protect EU citizens’ personal data. The GDPR is expected to set a new standard for consumer data rights; companies will be challenged to put compliant systems and processes in place. For example, the GDPR takes an expansive view of what constitutes personal identification information; broader than that of the NYSDFS or NAIC regulations.
Under GDPR, companies will need to protect items such as an individual’s IP address and cookie data at the same levels as they do for name, address and Social Security number. EU data subjects have the right to access, to correct and to erase data held about them by organizations. These rights are not absolute; for example, the right to erasure (also known as the “right to be forgotten”) may be limited in cases where the company needs the data to perform a service or to comply with legal obligations. But companies must be cognizant of the scope of the data they have collected about data subjects (for example, customer databases or email contacts) and have processes in place to record and respond to such requests.
Many companies that have already been addressing data privacy requirements may now have to consider additional steps to comply with GDPR. There will be a greater impact on smaller companies with fewer resources. There is a great deal of uncertainty about how the law is to be applied; exactly what safeguards must be put in place or how to limit data collection when doing broad-based research.
Statements concerning tax, accounting, legal or regulatory matters should be understood to be general observations based solely on our experience as reinsurance brokers and risk consultants, and may not be relied upon as tax, accounting, legal or regulatory advice, which we are not authorized to provide. All such matters should be reviewed with your own qualified advisors in these areas.
Developments in the Data Privacy Regulatory Landscape (Introduction)
Regulatory Landscape Part II: Extra-Territorial Application of GDPR
Regulatory Landscape Part III: New York Department of Financial Services Regulation
Regulatory Landscape Part IV: NYDFS Cybersecurity Act - Risk of Third Party Service Providers
Regulatory Landscape Part V: NAIC Model Law Regulatory Landscape Part VI: California Consumer Privacy Law
Regulatory Landscape Part VII: Conclusion