The GDPR

If you are a chief information officer, chief risk officer or have responsibilities for data protection and overall compliance, you will have read about the General Data Protection Regulation (GDPR), which comes into effect in May 2018.

Many people's eye glaze over somewhat when this quite fiddly and seemingly complex European regulation, which falls under the remit of the EU's Article 29 Working Party, is explained to them. Fear not, however, as I have decided to demystify and defang the GDPR beast in a series of blogs for the CII. This is the first part of that series.

Why are so many risk and insurance professionals taking this impending data protection regulation so seriously when we have had data protection in Europe for years? The simple reason is that GDPR has big, sharp, scary teeth that can result in fines being levied of up to €20m or 4% of a company's global revenues/turnover. The current maximum for the Data Protection Act is less than €0.6m at current exchange rates.

Those are big (and likely) material numbers, so anyone with fiduciary, technology and compliance responsibilities needs to know about GDPR and their organisation's exposure.

Brexit, what Brexit?

Many readers may be thinking: "We're going to Brexit in two years so we'll just opt out." Think again. First, GDPR lands on our shores in 15 months, well before even a super-fast Brexit could take place; and second, the global nature of the regulation renders a potential Brexit get-out-of-jail card largely redundant if firms intend to sell to, and/or process, the data of EU residents.

For organisations that are presently compliant with the Data Protection Act, many of the principles behind GDPR will be familiar. However, the data subjects (individuals) get some new rights, which will result in organisations having to change their business processes and computer systems to be able to adhere to these rights.

Human rights, now data rights

One of the rights provided by GDPR is the right to manual processing. This provides protection for individuals against the risk that a potentially harmful decision is taken without human intervention. Where a data subject considers this to be the case, they have the right to ask for their case to be processed by a person. Consider the challenges to your business process and IT systems of that simple statement.

There is a lot for insurance companies to absorb and understand in a short space of time, particularly as most insurers have a 2017 change agenda that is already massive. Brexit, FCA and PRA regulation, Lloyd's Minimum Standards, changes to contract law, IFRS, MoJ rulings such as the recent Personal Injury Discount Rate - all of these are adding to the change agenda headache, along with the changes that firms want to make to do their business better and not just comply with regulation. GDPR really isn't the one to forget though, as the consequences of failing to understand or to implement measures to achieve compliance could land a firm with a fine, but also the damage to their reputation that such a fine will undoubtedly attract.

A key difference of GDPR from the Data Protection Act is that it has been updated for the internet age - an age that allows data to move and be processed in a way that only a few thought possible when the Data Protection Act became law back in 1998. One of the changes is the recognition that a company in another part of the world may collect and process EU residents' data without the data subject knowing the data has left the EU. So the GDPR applies to organisations irrespective of their location, so long as they are processing personal data belonging to EU residents.

In my next blog, I will outline the danger of data breaches and how they relate to GDPR.