Canadian companies at risk from wide-reaching GDPR

Failure to comply could result in harsh fines and penalties

Canadian companies at risk from wide-reaching GDPR

Cyber

By Bethan Moorcraft

The General Data Protection Regulation (GDPR) comes into effect on Friday, May 25 – and companies worldwide are scrambling to get shipshape with compliance. 

GDPR was officially adopted by the European Union in 2016. It has extra-jurisdictional effect and applies to any company offering goods or services to EU residents, regardless of where that company is located. In today’s connected marketplace, GDPR has a very wide reach.

Vanessa Leemans, chief commercial officer, Aon Cyber Solutions EMEA, commented: “GDPR will expose organizations to significantly higher risks related to how they manage and store personal data. Data breaches, and other cyber events, could see businesses face both major fines and extensive costs. It is therefore essential that organizations fully understand where their exposures lie. They should work closely with their insurance partners to ensure they have an appropriate risk transfer solution and incident response plan in place.”

Aon has been working closely with Canadian companies involved in the EU to help them become GDPR compliant. Clients have been offered a compliance program created by specialized risk management firm Stroz Friedberg, a wholly owned Aon subsidiary, which guides companies through GDPR best practices.

Companies that fail to comply with the strict regulations could face significant financial penalties, the insurability of which remains a bit of a grey area in most jurisdictions. A GDPR guide released by Aon and DLA Piper, called ‘The Price of Data Security’, highlights that there are only a small number of jurisdictions in Europe where civil fines can be covered by insurance and, even then, there must be no deliberate wrongdoing or gross negligence on the part of the insured. Criminal penalties are almost never insurable.

“For two decades, cyber insurance policies have been adapting to the changing risk and regulatory environment. Aon globally, and in Canada specifically, has been at the forefront of adapting insurance policy wording to provide legal cost coverage to challenge the imposition of a fine or penalty, and provide clients with a fighting chance to get those fines and penalties covered including those under the GDPR should our clients be caught offside,” said Brian Rosenbaum, head of Aon Canada’s National Cyber and Privacy Practice.

“By introducing more positive policy language, we’re limiting the possibility of an insurer citing a public policy defense and refusing to cover GDPR fines or penalties, and we’ve attempted to create a situation where the insurer can only refuse to pay if a court or piece of legislation orders them not to,” he told Insurance Business.  

GDPR requirements are possibly more stringent and comprehensive than similar regulations in North American jurisdictions, especially around the protection of personal identifiable information, according to Rosembaum. The concept of what determines personal identifiable information is broad, and the requirements around how to use that data in a consensual manner are quite restrictive.

For example, the strengthened rules apply to consent, which must be easy for people to understand and withdraw. They also have the right to be forgotten through the erasure of data. If a data breach occurs, companies must notify people within 72 hours.

“The first thing Canadian companies can do is make sure they’re compliant,” Rosenbaum added. “Yes, there are risk transfer solutions that can cover some of the costs of GDPR breach, but if a company complies properly with the regulation, it stands a good chance of avoiding fines and penalties in the first place.”

 

Keep up with the latest news and events

Join our mailing list, it’s free!