New EU regulation introduces new stricter rules for the protection of personal data. Insurance can cover part of the risks

Companies in the Czech Republic should be on alert. New and fundamentally different rules from Brussels are arriving to improve the protection of personal data. The rules will start to apply in May 2018 for all EU Member States.

To be ready for when the new General Data Protection Regulation (GDPR) comes into force, companies should start preparing today. In addition to configuring IT processes to comply with the new European legislation, businesses can also be insured against loss of sensitive customer data.

After May 2018, any information and data that lead to the identification of individuals' personal data (for example, genetics, mental health, cultural, economic and social situations) should be protected. The new regulation extends the range of information that is considered to be personal data. For companies and organizations, the rules for obtaining valid consent to the use of personal data are tightened. Companies also have to set up the position of inspector for the protection of personal data under the new legislation. This is not only about state authorities but also about organizations operating in the private sphere. Where there is a high risk of privacy violation, businesses and organizations need to reassess risks.

"Any company or organization based outside the EU, working with EU citizens' data, must adapt and adhere to the principles and requirements of GDPR regulation. Virtually it has global reach. This is basically the first time that European legislation enforces the privacy principles of its citizens for the rest of the world," explains Michal Pilecký, RENOMIA Cyber ​​Risk Specialist.

The rules that companies and organizations in the Czech Republic will have to adopt next year cover a really area. They also undertake to report violations or data leakage to the authorities within 72 hours of the event. It also has the principle of minimizing data, i.e. organizations and companies should not keep the data longer than is strictly necessary. Therefore, they need to secure a thorough disposal of any such data.

Michal Pilecký points out that there is a great deal of time to escape personal data. In addition to losing or alienating important information, data, or hardware itself, we also include frequent cyber attacks, hacker attempts, or terrorism. Affected businesses and organizations can face grave consequences:  damaged confidence, reputation, good name and similar, which may lead to significant financial losses.

"Insurance represents a suitable complement to managing cyber risks and security of personal data. There are a number of cyber-related products on the market, everything can be tailored to the needs and requirements of the clients," adds Pilecký.

The most common types of cyber-risk insurance include the loss or theft of personal sensitive data or corporate data or hacker attacks. The insurance usually covers:

  • losses and the cost of legal representation in relation to third party liability
  • forensic IT audit that identifies the extent of data and information leakage
  • PR and the cost of disclosure to the public and the regulator (e.g. the Office for Personal Data Protection)
  • costs of negotiation with the regulatory and oversight authorities, penalties and fines, business interruption.