Author: Richard Jefferies – Insurance Sector Client Manager
The General Data Protection Regulation (GDPR) will come into effect from 25th May 2018. Indications are that even after Brexit the subsequent UK data protection regulation will closely mirror that of the EU. London Market participants, therefore, need to understand, interpret, prepare and act on the new data protection requirements.
The round table provided critical insights on the forthcoming GDPR from Allen & Overy LLP, a “Global Elite” law firm and a specialist in data protection. Discussion points included key details of the regulation, implications, what actions organisations are taking now and what you should consider for your organisation.
The presentation was complemented by an in-depth round table discussion and peer input to explore how and where this expert insight and guidance can be applied to ensure organisations are fully prepared for the coming changes in data protection regulation.
The attendees covered a variety of roles, all of which play a role in GDPR compliance, e.g. Compliance Officer, Legal / Counsel, Head of IT, Data Protection Officer / Security.
Please note: The information in this document does not constitute advice from Allen & Overy LLP, and should not be relied upon.
• GDPR builds on existing data protection concepts, e.g. right to erasure, and formally codifies these concepts. It also introduces some new concepts (e.g. the direct application of European data protection law to data processors). Broadly, GDPR does not fundamentally change the basic principles of European data protection law.
• The regulation applies to the processing of personal data, with obligations on data controllers and data processors.
• Key GDPR principles include: data accuracy, data minimisation, lawfulness, fairness and transparency.
• Broadly, the regulation contains 3 main types of provisions:
o Data subject’s rights, e.g. right to erasure and portability of personal data;
o Accountability, e.g. privacy notices, consent, breaches reported within 72 hours;
o Enforcement, e.g. fines of up to 2-4% of annual worldwide turnover.
• Insurers are data rich and regulators have previously issued some of the largest fines for data breaches to insurers.
• Need to be quite transparent about what data you are processing and why.
• There are lots of questions around obtaining consent – the onus will now be on the data controller to prove that it has obtained valid consent.
• Generally, a privacy impact assessment should be undertaken in relation to automated profiling of an individual.
• Larger organisations already have Data Protection Officers; smaller organisations often don’t have the in-house resources.
• The onus is on the data controller to report a breach within 72 hrs where feasible, but where there is also a data processor the data processor must also notify controllers of data breaches.
• High-profile breaches at large organisations have exposed mixed data breach response capabilities. Need to assess how prepared you are for a breach, e.g. pre-prepared statements, a team and processes that come into play, etc.
• Fair processing notices for consumer-focused organisations.
• For controllers, looking at what contractual terms are in place with processors.
• For processors, trying to anticipate what may come at you from the controllers – to counter, to show compliance, to negotiate clauses, etc.
• Generally focussing on due diligence – the right conversations and awareness with the relevant people, setting ownership, accountability, requirements, etc.
• Training – needs to be tailored to the audience, e.g. marketing, IT, etc.
• Resourcing – people, budgets, etc. to cover compliance efforts
Typically, in-house legal teams are taking the lead on GDPR programmes, although IT and Compliance Departments are heavily engaged with on key decisions. Some companies are even going to the extent of setting up dedicating teams to manage and oversee GDPR compliance throughout their organisation.
There is a mixed level of preparedness in London Market organisations, although some have moved through strategy, gap analysis and due diligence phases and are now focussing on GDPR implementation.
In the case of brokers bringing business to underwriters, where does consent fall? The underwriter needs to get consent, but as the broker is likely to use the data for other purposes as well, the broker will need to get consent.
The underwriter can get consent on behalf of broker, or pass their consent terms to the broker to get consent from their client. The LMA has a working group working on co-ordinated guidance on this – so there is a recognised clause, rather than multiple variants.
As a trusted provider of underwriting and data solutions to the London Market for nearly 30 years, we appreciate GDPR compliance may be a daunting challenge.
The good news is that Northdoor’s “Protect IT” security practice has an established set of reviews and recommendations to help you achieve and maintain compliance. We offer software tools to help you discover, classify, protect and govern data over time, regardless of where or how it is stored.
To find out how we can help you achieve GDPR compliance rapidly, efficiently and at low cost, download our two-page overview of everything you need to know and contact us for an assessment.