How the EU’s data privacy law will apply to your Canadian clients

The European Union’s new data privacy law can affect your clients even if they don’t have offices in Europe, a cyber security expert with one of the world’s biggest brokerages warns.

The General Data Protection Regulation (GDPR), which took effect in 2018, gives legal rights to citizens of all 28 European Union member nations. One is the right to be forgotten, which means your client must delete personally identifiable information on a European person when it is no longer necessary for the purposes for which it was collected.

GDPR is creating additional exposure for firms doing business in EU nations, said Matthew McCabe, a New York City-based senior vice president for Marsh LLC’s U.S. cyber practice, in a recent interview.

“Regulators intended for the reach of the GDPR to extend far beyond the EU’s borders, with the rights granted under it following wherever an individual’s data may sprawl,” Marsh said in One-Year Anniversary of the GDPR: A Look Back and Ahead, a report released May 21.

GDPR applies to a Canadian client if it has a commercial presence in the EU, and that presence can be online only, McCabe told Canadian Underwriter in an interview.

“For the clients who just have a digital presence and rely on the fact that they don’t have a physical presence – they should take another look at the regulation,” said McCabe.

A client could have an online presence if it allows its mobile app to be downloaded to a cellphone in the EU and that cellphone user starts communicating within the EU region.

“We certainly make that clear for our clients how those exposures are changing and how they need to tailor their cyber insurance policies to address that risk,” said McCabe.

It is up to individual EU member states to enforce GDPR. A client found to be off-side the GDPR can face fines of up to 4% of annual revenue or €20 million, whichever is greater. The euro is currently trading at about $1.51.

Nearly €56 million in fines were issued during the first nine months the GDPR was in effect, Marsh said in One-Year Anniversary of the GDPR.

Although Britain plans to leave the EU this year, GDPR will still apply to consumers in Germany, France, Italy, Spain and pretty much every other European nation – other than Russia, Ukraine, Switzerland and Norway.

There are tens of thousands of GDPR-related investigations right now involving companies, said McCabe. Some of those firms to collect data and profiting from their ability to discern consumer preferences based on that data.

GDPR applies to any information that can be used to directly or indirectly identify a person – such as a name, photo, e-mail address, bank details, posts on social networking websites, medical information, or a computer IP address.