EU privacy regulation should be in minds of Canadian risk managers

Published: March 2, 2018

Updated: July 24, 2018

Author: Luke Jones



Changes to European privacy regulations coming into effect this May could create some challenge for commercial brokers with Canadian clients. Terri Mason, CAN Canada’s assistant vice president for cyber and professional liability told Canadian Underwriter the General Data Protection Regulation (GDPR) should be a concern for risk managers in the country.

GDPR is a precedent setting legislation that gives legal rights to European Union residents to have personal information deleted when it “no longer necessary in relation to the purposes” for which it was collected. This means companies will not be able to hold and use customer data once the intended purpose is passed.

GDPR “applies to any company that has access to or is processing information” on citizens of EU nations, “regardless of where that organization is located,” Mason said.

Organizations that don’t comply with the upcoming law will face fines of 20 million euros, or 4% of annual revenue, whichever is greater. For major insurance companies, they would lose 4% of their revenue.

The regulation applies to “any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person,” the EU says. “It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”