At a glance
- Businesses will have to comply with new data protection rules from 2018
- The General Data Protection Regulation (GDPR) will introduce new requirements for those processing personal data and tougher penalties for data breaches
- We explain what brokers and their customers need to know about the GDPR
Businesses and organisations are under significant pressure to act responsibly with people’s personal data, with the penalties for failings set to increase under new EU data protection rules.
What is personal data?
Personal data is information that relates to a living individual who can be identified by that data, or by a combination of that data and other information in possession of the data controller.
It includes names, identification numbers, location data, online identifiers or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of an individual.
Personal data also including any expression of opinion about that individual and any indication of the intentions of the data controller or any other person in respect of the individual.
The impact of Brexit on GDPR
The GDPR will take effect on 25 May 2018. As it will take two years from the moment Article 50 of the Lisbon Treaty is invoked, for Britain’s exit from the EU to be finalised, there is certain to be a period in which British organisations will be subject to GDPR in the same way as those in other member states.
That situation is unlikely to change significantly after Britain leaves the EU.
Yasmin explains: “If we want to continue trading with the rest of Europe, we will be required to achieve ‘adequacy’ on data protection, which means achieving standards that are at least equal to the rest of the EU. So, whatever model Britain chooses after Brexit, there isn’t a scenario in which we won’t have to comply with the principles of GDPR.”
In this article, we discuss what your customers need to know about the EU General Data Protection Regulation (GDPR) – which will replace the Data Protection Act when it comes into force in May 2018 – and explain its impact.
GDPR: the key changes
The GDPR may introduce a number of changes affecting businesses and organisations responsible for processing personal data, including:
- A requirement to report data breaches to the Information Commissioner’s Office (ICO) within 72 hours of discovery
- A broadened definition of personal data (see boxout), including online identifiers, such as a person’s IP address
- New requirements for information to be included in the fair processes notices for customers
- Compliance with enhanced individual rights such as right of data portability, restriction on processing, right to be forgotten and profiling
In addition, the penalties for data breaches could be far greater.
The biggest fine handed out by the ICO for a data breach is currently £350,000. However, this could potentially rise as high as €20m under the GDPR for serious breaches.
Yasmin Durrani, Data Protection Officer at Zurich, says: “The higher penalties will represent a significant risk.”
Developing robust systems for processing data
So, what should your organisation do to ensure systems for processing personal data are robust?
Yasmin says: “First of all, you need to understand what data you process, so that they can classify it. Not every type of data will be personal and therefore within the scope of these regulations.
“You should have robust retention schedules, which specify the retention period for each type of data. Ensuring that you only keep personal data for as long as it is necessary.
“The next step is to understand where geographically your data is kept. As part of this, you should consider carefully all your arrangements for sharing data with third parties and when appointing suppliers that are based outside of the EU.”
How different sized businesses and organisations will be affected
Before considering whether or not they need to do anything differently in order to comply with the GDPR, brokers should examine the details of the GDPR carefully in accordance with the size of their firm, as some of the new requirements will only apply to larger organisations.
Yasmin says: “Businesses or organisations that carry out regular and systematic monitoring of individuals on a large scale are required to appoint a Data Protection Officer, as well as comply with certain requirements regarding record-keeping.”
Educate on data breach notification requirements
You should ensure that your staff are aware of the requirement for reporting data breaches within 72 hours – and that they understand what constitutes a data breach. Brokers should also ensure that internal escalation of breaches is defined and made easy for staff.
Yasmin says: “If an employee sends an email to the wrong person, quickly identifies their mistake, and then resends the email to the right person, they will often not consider that a data breach, but this kind of incident should be reported internally for the appropriate personnel to assess regulatory reporting.
“It’s important that you give staff the tools to report data breaches, but also the confidence that they will not face repercussions for doing so.”
Protecting data isn’t just about complying with rules
Although the GDPR will not come into force for another two years, the management of data remains a vital issue to be dealt with today.
Yasmin says: “If you are really serious about running an efficient business or organisation that will grow and flourish, you need good governance and good standards of managing data – it’s the key to long-term sustainability.”
Yasmin will be talking more on this topic at the Insurance Risk Europe Forum 2016, which takes place on 29 November.
To discuss any aspect of this article further, speak to your usual Zurich contact.