Breach reporting rules under GDPR viewed as a “watershed change”

Breach reporting rules under GDPR viewed as a “watershed change” | Insurance Business Asia

Breach reporting rules under GDPR viewed as a “watershed change”

After much anticipation, the General Data Protection Regulation (GDPR) finally came into force in May, upping the ante when it comes to how organisations handle and store data.

But while much attention has been paid to the hefty fines brought in by the law – which can see companies fined up to 4% of their global annual turnover – less has been said about the change in reporting regulations surrounding breaches.

Under the GDPR, organisations are required to report certain types of personal data breaches to the relevant data protection agency within 72 hours of becoming aware of the breach, and in some cases must notify the individuals affected too.

For those without an extensive plan in place or an insurance policy which can offer post-breach response services, compliance may prove difficult, according to David Kessler, cyber head at Travelers.

“I think the true change that GDPR brought in, and that will slowly be realised, is that when a breach occurs an entity needs to respond quickly. It’s a very small window of 72 hours to provide notice to the regulatory body,” Kessler said, describing the new rules as a “watershed change”.

“For the entities that are prepared for that, I think they’re going to be fine. They will avoid fines and penalties if they have a proper response plan in place. But those that don’t have the ability to, or don’t respond in an adequate or timely fashion, run the risk of those fines and penalties,” he told Insurance Business.

Those organisations who have not put in place a comprehensive breach response plan may find themselves seeking external help in a time of crisis, during which it may be difficult to know where to turn.

“You’re probably going to do a Google search to try to find providers, but that might not help you if your computers have been knocked out… It’s about knowing which provider to turn to,” Kessler said.

In the long-run, Kessler predicts that as companies begin to incur fines under the reporting rules, the recognitions among organisations of the need for cyber insurance will grow.