Data Protection now comes with large, sharp
If you are a chief information officer, chief risk officer or
have responsibilities for data protection and overall compliance,
you will have read about the General Data Protection Regulation
(GDPR), which comes into effect in May 2018.
Many people's eye glaze over somewhat when this quite fiddly and
seemingly complex European regulation, which falls under the remit
of the EU's Article 29 Working Party, is explained to them. Fear
not, however, as I have decided to demystify and defang the GDPR
beast in a series of blogs for the CII. This is the first part of
Why are so many risk and insurance professionals taking this
impending data protection regulation so seriously when we have had
data protection in Europe for years? The simple reason is that GDPR
has big, sharp, scary teeth that can result in fines being levied
of up to €20m or 4% of a company's global revenues/turnover. The
current maximum for the Data Protection Act is less than €0.6m at
current exchange rates.
Those are big (and likely) material numbers, so anyone with
fiduciary, technology and compliance responsibilities needs to know
about GDPR and their organisation's exposure.
Brexit, what Brexit?
Many readers may be thinking: "We're going to Brexit in two
years so we'll just opt out." Think again. First, GDPR lands on our
shores in 15 months, well before even a super-fast Brexit could
take place; and second, the global nature of the regulation renders
a potential Brexit get-out-of-jail card largely redundant if firms
intend to sell to, and/or process, the data of EU residents.
For organisations that are presently compliant with the Data
Protection Act, many of the principles behind GDPR will be
familiar. However, the data subjects (individuals) get some new
rights, which will result in organisations having to change their
business processes and computer systems to be able to adhere to
Human rights, now data rights
One of the rights provided by GDPR is the right to manual
processing. This provides protection for individuals against the
risk that a potentially harmful decision is taken without human
intervention. Where a data subject considers this to be the case,
they have the right to ask for their case to be processed by a
person. Consider the challenges to your business process and IT
systems of that simple statement.
There is a lot for insurance companies to absorb and understand
in a short space of time, particularly as most insurers have a 2017
change agenda that is already massive. Brexit, FCA and PRA
regulation, Lloyd's Minimum Standards, changes to contract law,
IFRS, MoJ rulings such as the recent Personal Injury Discount Rate
- all of these are adding to the change agenda headache, along with
the changes that firms want to make to do their business better and
not just comply with regulation. GDPR really isn't the one to
forget though, as the consequences of failing to understand or to
implement measures to achieve compliance could land a firm with a
fine, but also the damage to their reputation that such a fine will
A key difference of GDPR from the Data Protection Act is that it
has been updated for the internet age - an age that allows data to
move and be processed in a way that only a few thought possible
when the Data Protection Act became law back in 1998. One of the
changes is the recognition that a company in another part of the
world may collect and process EU residents' data without the data
subject knowing the data has left the EU. So the GDPR applies to
organisations irrespective of their location, so long as they are
processing personal data belonging to EU residents.
In my next blog, I will outline the danger of data breaches and
how they relate to GDPR.