Data protection has long since moved beyond the sole responsibility of an I.T. team. It has become a Boardroom issue. The General Data Protection Regulation is coming. Will your company be ready?
In the summer of 2017, two well documented cyber-attacks caused chaos for businesses around the world and pushed the subject of data protection to the top of the agenda across the media. The WannaCry attack in May 2017, which wreaked havoc with private companies and public institutions including the NHS, was followed by a second, even larger attack, two months later called Petya. Some estimates suggested the cost could have reached 10 times more than the WannaCry incident a few weeks earlier.
Whilst taking appropriate action to prevent cyber-attacks is critical, you will no doubt have seen much publicity surrounding the new General Data Protection Regulation (GDPR) which is due to commence in May 2018, meaning businesses that collect data from EU citizens could face fines of €20m or up to 4% of global turnover if they fail to implement the necessary measures and actions to comply with the new Regulations. In addition, the average cost per breached record in 2017 was £98 so data protection is very much a key Boardroom issue.
According to Insurance Business UK, a recent survey in November 2017 revealed 30% of UK businesses remain in the dark about the new law, with 10% not planning to do anything about it, leaving large numbers of companies at significant risk of damaging financial and reputational sanctions which could have devastating repercussions.
Griffiths & Armour have been encouraging all clients and businesses who have not already done so, to seek advice and take appropriate measures to get prepared for the changes and protect their organisation from attacks by pinpointing where potential weaknesses exist, developing an action plan to address the issues and where appropriate, considering the right type of cyber and crime insurance cover to protect their businesses.
A member of our specialist Cyber Risks team is available should you have any questions or wish to discuss your needs further. Contact information can be found at the end of this article or click here to email the team directly.
The following information will also provide you with useful facts to describe the key talking points surrounding GDPR and the expected changes you need to consider;
GDPR - WHAT IS IT?
Despite Brexit, the UK government has confirmed that the UK will fully implement the new European Regulation so from 25th May 2018, the new GDPR rules will apply to all EEA countries and companies that conduct business in them. This also includes organisations that are located outside the EEA territory that process EU personal data. The changes are an update and replacement of the current data protection rules. Click here to download your complimentary copy of our Risk Management Data Protection Guidance.
If your organisation is involved in processing personal data, the following changes will apply to you;
- A requirement to report certain data breaches to the Data Protection regulator, within 72 hours of discovery so that, if affected, your individual data subjects can be informed and appropriate measures can be taken. Failure to notify within 72 hours could result in a fine of €10m of 2% of global turnover.
- Individuals will have more access to their own data, how that data is processed by you and you will also be expected to provide this information in a clear and understandable way.
- Individuals can expect to be able to transmit their personal data between suppliers or service providers in a far easier and more portable manner.
- Your data subjects will have the ‘right to be forgotten’. Or in other words, individuals will have the right for their personal data to be erased if there is no compelling reason for you to continue storing or processing it.
- The conditions by which you must adhere too in order to gain consent have been strengthened, which include:
- Data capture methods are clearly distinguishable from other subject matters, facilitated by an easily accessible form and using plain language.
- Explicit and clearly separate consent, freely given, for distinct processing operations.
- As easy for an individual to withdraw consent as it was to give it.
- Opt out means out!
- Pre-ticked boxes designed to 'opt in' as a default unless otherwise stated will not be permitted.
- You must keep clear data records to prove when and how consent was granted.
WHAT IS PERSONAL DATA?
Personal data is defined as information that relates to an identified or identifiable natural person i.e. someone who can be identified by that data or by a combination of that data and other data in possession of your organisation or person controlling the data.
It includes individual names, addresses, telephone numbers, location data, online identifiers or any factor that is associated with the physical, physiological, genetic, mental, economic, cultural or social identity of an individual person. Personal data also includes any information or digital notes you may hold on that person, such as an expression of opinion or an indication of the intentions of your organisation or any person within your organisation in respect of an individual.
MUCH BIGGER FINES FOR BREACHES OF GDPR RULES
Any company or organisation that fails to adhere to the new rules may be subject to a fine of up to €20 million, or 4% of the company’s global annual turnover, whichever is higher.
WHAT IS THE ‘RIGHT TO BE FORGOTTEN’?
The GDPR’s ‘right to be forgotten’ is best described using two main concepts – CONSENT and PURPOSE. When an individual consents to the processing of their personal data, they do so because they assume that data is intended for their benefit or some other explicit purpose.
An individual therefore has the right to request their personal data be erased when the purpose or benefit to which consent was originally given no longer applies.
WHAT IS THE IMPACT ON BUSINESS?
It is hoped the reforms will create a more efficient business environment and reduce the costs many businesses face if they process personal data across borders. An opportunity for businesses to capitalise on simpler, clearer and more unified standards may also go some way to maintain and build consumer trust.
The reforms also make new data protection standards a requirement for all businesses outside of the EEA to comply while they do business in an EU member state. This should result in a more level playing field, with international businesses trading within the EU being bound by the same rules, regardless of where they are established.
Data safety is streamlined by having one central supervisory authority in each European country. This is particularly encouraging if the move also promotes a risk-based approach to compliance requirements, recognising that businesses should have different obligations and operate under standards that more accurately represent the specific risks associated with their data processing.
Finally, data processors will be expected to implement data protection safeguards from the early stages of product or service development to ensure that data protection is the norm and not by exception. One such safeguard is an expectation to appoint a Data Protection Officer (DPO), if applicable, who will be responsible for data protection compliance. Organisations must appoint a DPO if they are a public authority, they carry out large-scale systematic monitoring of individuals, or if they carry out large-scale processing of special categories of data or data relating to criminal convictions and offences.
Here are some useful tips to help you prepare for GDPR:
- Awareness: Are all decision makers in your organisation aware of GDPR? - they need to understand and appreciate its potential impact.
- Information You Hold: Have you documented what personal data you already hold? Ensure you know where it came from and whom you share it with. You should consider organising an information audit.
- Communication of Privacy Information: Carry out a review your current privacy notices and put a plan in place for making any necessary GDPR changes.
- Individuals’ Rights: Check your existing procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Information Access Requests: Plan how you will handle requests within the new timescales.
- Legal: What is the basis for processing your personal data? Look at the various types of data processing you carry out, identify your legal basis for doing so and make sure you document it.
- Consent: Review how you are seeking, obtaining and recording consent and whether you need to make any changes.
- Minors and Children: Think about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
- Data Breaches: Do you have the right procedures in place to identify, report and investigate data breaches?
- Data Protection by Design and Data Protection Impact Assessments: Think about familiarising yourself with the the ICO guidance on Privacy Impact Assessments, and work out how and when to implement them.
- Data Protection Officers: Appoint a DPO or someone to be responsible for data protection compliance. You should assess where this role sits within your organisations structure and governance.
- International: Do you operate internationally? If so, you should find out which data protection supervisory authority your business interests fall under.
If you have any comments or questions on the information contained within this article or would like to discuss how you can prepare ahead of GDPR, please contact your Griffiths & Armour Insurance Broker or e-mail firstname.lastname@example.org and we will redirect your enquiry to the appropriate person.
For a more detailed overview of your responsibilities under the GDPR, you can download the ICO’s guide for organisations here.