General Data Protection Regulations (GDPR)
What is GDPR?
This new set of regulations will have an impact across many areas of your business including IT, HR, Marketing, Sales and Compliance. GDPR is designed to provide safeguards to individuals’ data and asks questions, surrounding how you manage, store and process personal data. They supersede the UK’s Data Protection
Act and harmonise the various laws within each of the EU member states. The UK will retain these obligations despite exit plans from the EU.
Businesses will need to document and evidence the decisions that they make, have processes in place that properly seek permission to contact consumers and other businesses, be aware how they capture data, where this is stored and demonstrate their security features to prevent network or data breaches. The Regulations come into effect on 25th May 2018 and your business not being ready could lead to significant fines.
What do you need to do?
There are 5 key steps to help you start the review process:
Nominate senior person(s) that will be accountable, normally a Board member, and allocate responsibility including a Data Protection Officer where applicable.
Carry out an information audit to ascertain where your data comes from, how you store it and why it is used. At the same time, review your privacy notices and the process for deleting personal information or setting up a common format for responding to requests.
If your organisation operates in more than one EU member state (i.e. you carry out cross-border processing), you should determine who your lead data protection supervisory authority is.
You should review how you record and manage consent and whether you need to make changes. You need to be able to verify a person’s age and to obtain parental consent as required.
You should make sure you have the right procedures in place to detect, report and investigate a data breach.
As of November 2017, there are elements of GDPR still in consultation. This includes, for example, guidance on the contractual responsibility between Processor and Controller, which could impact Professional Indemnity and Cyber policies.
Although insurers have yet to set out their stall, there could be 3 major implications:
1. We can expect insurers to be asking for more information about your business processes and procedures. This is because many clients now buy Cyber 3rd Party Liability and related 1st Party insurance (costs of notifying the data subjects or having to provide credit-monitoring services, for example). In addition, many policies now cover ‘Civil Fines’ imposed by Regulators, which could all result in increased exposure under your insurance policy.
2. Insurers are likely to require policyholders to declare, to the best of their knowledge, that they have taken all reasonable steps to be compliant with GDPR. Failure to fairly represent how the organisation is managing their risks could allow an insurer to a void a claim.
3. If existing or potentially new insurers are not satisfied that their client has demonstrated an acceptable level of GDPR compliance, they could put the premium up or even decline to quote.
Sutton Winson has entered a joint venture with legal and security specialists to create ‘the SME Cyber Alliance’. This alliance will help you get started and implement the right procedures and processes in place in order to comply with
If you would like more information, please email firstname.lastname@example.org