GDPR Article Published in Insurance Day
Why are so many risk and insurance professionals taking the impending General Data Protection Regulation so seriously when we’ve had data protection in Europe for years? The simple reason is that GDPR can result in fines being levied up to €20 million or 4% of a company’s global revenues/turnover. The current maximum for the Data Protection Act is less than €0.6m at current exchange rates.
Those are big (and likely) material numbers, so anyone with fiduciary, technology and compliance responsibilities need to know about GDPR and their organisation's exposure.
To read the full article by Darren Wray in Insurance Day (subscription required) click here https://www.insuranceday.com/news_analysis/opinion/good-governance-is-vi....
If you do not have an Insurance Day subscription, a summary of the article follows.
Brexit, what Brexit?
My readers may think: “We’re going to Brexit in two years so we’ll just opt out” but think again. Firstly, GDPR lands on our shores in 15 months, well before even a super fast Brexit could take place and, in any case, the global nature of the regulation renders a potential Brexit Get out of Jail card largely redundant if firms intend to sell to, and/or process the data of EU residents.
For organisations who are presently compliant with the Data Protection Act then many of the principles behind GDPR will be familiar, however the data subject (individuals) get some new rights which will result in organisations having to change their business processes and computer systems to be able to adhere to these rights.
Human Rights, Now Data Rights
One of the rights provided by GDPR is the right to manual processing. This provides protection for individuals against the risk that a potentially harmful decision is taken without human intervention. Where a data subject considers this to be the case they have the right to ask for their case to be processed by a person. Consider the challenges to your business process and IT systems of that simple statement.
There is a lot to for insurance companies to absorb and understand in a short space of time, particularly as most insurers have a 2017 change agenda that is already massive. Brexit, FCA and PRA regulation, Lloyd’s Minimum Standards, changes to contract law, IFRS, MoJ rulings such as the recent Personal Injury Discount Rate ruling - all of these are adding to the change agenda headache, along with the changes that firms want to make to do their business better and not just comply with regulation.
A key difference of GDPR from the DPA is that it has been updated for the Internet age, an age that allows data to move and be processed in a way that only a few thought possible when the DPA became law back in 1998. One of the changes is the recognition that a company in another part of the world may collect and process EU resident’s data without the data subject knowing the data has left the EU. So the GDPR applies to organisations irrespective of their location, so long as they’re processing Personal Data belonging to EU residents.
The Danger of Data Breaches
In Europe, the data subject gives a company to whom we provide our data the rights to use that information for a specific and stated purpose.
Just because a company collects that data and payed for the storage and processing of that data to provide us with a service does not give a company the right to use that information for any other purpose than the one they intended or that they told us it would be used for.
So let’s take a real life example: if you sign up for a bank account or insurance policy you may read in the small print (and I am paraphrasing) “tick here if you are OK with us sending you details of offers or marketing.”
If the data subject does not tick that they want to opt in and their data is still used to provide marketing information, then that is a breach. That is certainly not a €20 million data breach but that is an example of using data inappropriately and without the right to use it.
What is a €20 million breach?
More serious breaches include those where the company processing the data (the data controller or the data processor in technical terms) is not protecting Personal Data from misuse or theft. Under GDPR there are two classes of Personal Data, Personal Data being information that can identify a living individual, which includes name, address, telephone number, email address and even IP address. This data can include unstructured information such as a notes field if it contained something like “the woman from 12 High Street, who owns the red car”, if there is one woman living at number 12, or only one red car owner, or only one person living at number 12, then this information identifies a living individual.
Personal, sensitive data is information that relates to things like union membership, medical data, sexual preferences of the data subject, GPS or location information and biometrics. Anything that falls into one of those categories must be protected ore rigorously.
Both Personal Data and Personal Sensitive Data requires protection from misuse, which can occur within the organisation that has collected the data and has a right to use it for a purpose. Organisations also have a duty to protect their data from being hacked while being the victim of a data breach. An example of what the Information Commissioner’s Office - the data authority in the UK - might consider to be a €20 million breach, for example is when unencrypted data is hacked.
If a company accidentally releases the data out on a webserver that anyone can access or worse still allows the data to be indexed by Google these would be considered gross breaches of personal data and information.
Having taken the appropriate measures to protect the Personal Data under its control, businesses also need to ensure that they have a response plan in place, that details how they respond to a data breach. An effective approach to governance will allow the Data Protection Officer to understand the nature of the breach and inform the relevant authority of nature and severity of the breach within the GDPR mandated 72 hours. This is an important role and one that should properly be entrusted to a co-sourcing partner to ensure all the appropriate steps are taken quickly.
If you organisation is implementing GDPR and you needed a trusted partner to work with you, then contact Fifth Step and find out how we can help - https://www.fifthstep.com/contactChrisDon