Regulation

Time is running out to prepare for GDPR

With the EU’s General Data Protection Regulation (GDPR) going into effect on May 25, 2018, insurance and reinsurance players must take steps to understand how the regulation will affect them.

The GDPR will be enforced starting 25 May 2018 and will apply to those collecting, storing or using the personal data of the residents of the European Union’s 28 member states.

As a report by McAfee notes, “the regulation changes requirements around protecting the personally identifiable information of over 500 million people, and occupies the minds of anyone around the world concerned with data protection.”

A recent survey published by SAS has revealed that only 45% of businesses actually have a structured plan for compliance, and over half (58%) still do not fully understand the full consequences of non-compliance in the face of the new regulation – a mere four per cent of annual global turnover.

Under GDPR, SAS explains that every EU resident has the right to know how their personal data is being used – and can request to have his or her data completely erased.

This means that organisations that store and/or process EU consumer and employee data must be vigilant in protecting that data, regardless of where they are located.

Noncompliance with GDPR regulations can be costly and may result in hefty financial penalties ranging up to $22 million or 4%of annual global turnover (whichever is greater).

Joanne Bone, a partner at law firm Irwin Mitchell, says: “Despite GDPR representing the biggest change in 25 years to how businesses process personal information, our recent survey found that just 47% of financial services businesses in the UK have started preparing for it.

 “For wealth management businesses which collect and use large amounts of private individual profile data in order to understand customers and provide the best and most suitable products and services to meet their needs, the impact of GDPR could be huge. As a starting point, it will be necessary to understand what data you have and whether it is properly permissioned to enable you to do what you need to do.”

 Bone stresses that Information security is a key point.  She says: “Whilst financial data does not fall within the legal definition of sensitive personal data, it is accepted that it must be handled carefully because any breach involving financial data is viewed as a serious issue by the Regulator. 

 “One of the big changes to be brought in by the GDPR is compulsory notification of certain data breaches. If this is coupled with the massive increase in fines, from £500,000 to €20million or 4% of global turnover whichever is larger, then it is imperative that the new rules are taken very seriously.

 “The implications cannot be ignored and it’s important that organisations undertake a root and branch review of their data governance practises to avoid falling under the spotlight of the ICO.”

According to Bone, if banks and wealth management businesses embrace GDPR, then they can build customer trust and confidence and give themselves competitive advantage. Ensuring customer confidence is maintained in the collection and handling of their data is crucial in data heavy businesses of this nature.

Changes

A key concern of GDPR is around giving customers the ability to access their data, which may prove a challenge for businesses with extensive legacy systems, designed pre GDPR.

Peter Woollacott, chief executive officer of Huntsman Security says this may well take companies beyond 2018 to be able to achieve, saying: “People store data in legacy systems which aren't really designed for that sort of access. It was never designed to give it back, and that is going to be an issue. With newer systems it's fine. Particularly banks, which have a lot of information, also have a lot of legacy systems."

In terms of how to prepare for the data regulation, Bone says GDPR compliance can sometimes seem overwhelming but if started early and approached in a methodical way, it is achievable. 

She explains: “The first stage is to understand what data is held, how it is used and what legal grounds permit its use.  I would strongly advise that a data audit is undertaken quite simply because if an organisation doesn’t know what data it has, then you cannot make it compliant. 

 “I would also suggest a data clean-up which involves looking at the data, examining if it is out of date or no longer used, and then considering whether it should be retained.  There is no point spending time and money in making outdated data compliant and in any event, the GDPR requires data retention to be thought about.  It is important to remember, if the retention of the data is no longer necessary then it should be deleted."

 According to Bone other key issues involve looking at transparency around how the data is used, setting a process to deal with data breach and preparing for enhanced rights given to individuals. 

“Individuals will have the right to be given more of their personal data via subject access and they are also given additional statutory rights, such as the right to be forgotten and the right of data portability.  Businesses in the sector need to prepare for how to deal with these rights including how to deal with requests which don’t need to be auctioned,” says Bone.

Michael Corcione, managing director, Cybersecurity and Data Protection Consulting Services at Cordium, highlights two other big changes the GDPR is due to bring in: “The right to be forgotten, reinforced in Principle 5 of the current Data Protection Act, has sparked further confusion. ‘The right to be forgotten and to erasure’ is not always a legitimate request and does not stand as an unconditional right. Although firms should have procedures in place to comply with any request, there may be instances where the request itself does not meet the European Court of Justice’s criteria and can be avoided.

 “The requirement to appoint a Data Protection Officer applies only to firms who operate in the public sector or employ 250 staff. However, the regulation does recommend a qualified individual to be appointed with responsibility for data protection at all times. So for most firms, this will be the action needed.”

For companies yet to begin preparing for GDPR, time is running out. For those just starting assessing their options, however, advice of where to being includes appointing a dedicated data protection officer, and conducting a thorough examination of what data is held.