It’s been the topic of much discussion in the insurance community for months, if not years, but D-Day for the General Data Protection Regulation (GDPR) is finally around the corner.
May 25, 2018, will see the GDPR come into force, applying to all companies that deal with EU nationals, whether based in the EU or outside – and Brexit is no excuse.
The regulation is a modern overhaul of the data protection landscape, at a time when the value of personal data and how organisations are handling it, has never been more relevant.
Under the GDPR, non-compliance could prove extremely costly for companies: potential maximum fines being brought in are up to €20 million (£17.4 million), or 4% of annual turnover.
The Information Commissioner’s Office (ICO) will have the power to impose fines on a discretionary basis, assessing on a case-by-case basis depending on the articles of the regulation that have been breached.
Data suggests that the ICO has already been ramping up the pressure ahead of the GDPR this year, handing out record numbers of fines – particularly to the financial services industry.
All in all, the GDPR should be of significant concern to anyone in the insurance industry, but where should you start if you aren’t yet prepared?
“First of all, businesses need to understand the type of data they are dealing with, but even before that – given that time is so short – they should get an assessment,” Darren Wray, CEO of Fifth Step and GDPR author, told Insurance Business.
“The reason that’s so important is because, as time is so short, they need to concentrate on the high priority items and get those done first,” he said, adding that top of the list should be “the issues that any regulator or data protection authority is going to be concerned about.”
The GDPR brings in an increased focus on accountability, including the requirement that companies are able to demonstrate that they comply with the principles – and states explicitly that it is their responsibility.
“While I’m not sure that the ICO are staffed enough to do this on a regular basis, under the GDPR they can come and ask you to demonstrate how you are dealing and complying with it,” Wray said, adding that it’s no longer necessary for a complaint to be lodged or a data breach to take place first.
With so much information out there, organisations should do their research to understand what the legislation means for them – and not assume that they aren’t affected.
Wray added: “Ultimately, you’re going to need to start looking at what your data is, how you’re processing it, and whether you really need all that data. If you do, especially with time being so short, you need to make sure that its being processed correctly, and that you’ve got all the processes and procedures in place to protect it.”