On May 25th this year we will see the introduction of the General Data Protection Regulations (GDPR) across the UK and Europe which aims to improve the rights of citizens and the storage and usage of their data.
New rights to data access and consent
The new rules will allow rights of access to personal data in addition to individuals requesting for it to be erased or corrected, and the ability to object to data profiling and direct marketing.
Under the new GDPR legislation, consent to process personal data must be given actively (not via pre-ticked boxes) and it must be relatively easy to withdraw that consent. The consent that you have already gathered as a business must also meet these standards, so if it doesn’t you will need to refresh it.
Exemptions from consent compliance
There are of course some instances when the processing of information is necessary for certain businesses and therefore in limited situations consent isn’t always needed.
However, consent is the main way to comply with GDPR. There may be legitimate reasons to permit processing of personal data, such as a hospital treating someone following a serious accident, or a debt collection agency requiring new address information, for example.
Failing to comply with GDPR
Under the new guidelines fines are very strict. If you fail to follow the basic principles on rights to access and consent your business can face fines of up to €20 million or 4% of your global annual turnover, whichever is greater.
This is of course a maximum fine. The ICO will be issuing fines as a last resort and will implement them proportionately and judiciously. As a matter of course though, companies should be considering insurance should they find themselves in breach of legislation.
A well designed cyber insurance policy will need to cover IT, legal, and PR assistance during a cyber-attack.
Informing customers of a data breach
In addition to consent and data access, should a company experience a data breach, then under GDPR rules they are legally required to inform customers within 72 hours of becoming aware of the attack.
The legislation applies to both controller and processors of data, so even if they are based outside of the EU the GDPR law will still apply to them when handling data of EU residents.
Those companies who fail to meet the 72-hour deadline could face the penalty of up to 2% of their annual worldwide revenue or €10 million, whichever is higher.
An update to personal data
To reflect the types of data that organisations collect these days, the meaning of personal data has been expanded to include online identifiers such as IP addresses and mobile IDs.
GDPR recognises that names are not necessarily required to identify someone and ID numbers, location numbers, online identifiers can all be used. In addition to this there are also physical, physiological, genetic, mental, economic, cultural and social factors or even pseudonyms that can identify people. Insurance coverage will therefore need to cover breaches in each of these areas.
But aren’t we leaving the EU?
Whilst the UK will be leaving the UK in the face of Brexit, we will still be members when GDPR comes into place, and a new Data Protection Bill was put forward by the UK government in August last year which essentially replicated the requirements of GDPR. This will clarify the regulations on protecting data once we leave the EU.
How do you get consent under the GDPR rules?
Passive acceptance given by pre-ticked boxes or opt-outs will no longer be acceptable and so consent must be actively given. Moving forward you must keep a record of how and when an individual gave their consent, and of course, they may remove their consent at any time.
Click here to see the draft guide to consent produced by the ICO.
How should Directors and Officers prepare for GDPR?
As GDPR will come into place in just a few months you need to act now to ensure your business is prepared and have the correct procedures in place. As many Directors and Officers are increasingly being found personally liable for cyber breaches we would recommend that you take the following precautions and review your D&O and cyber insurance:
• Actively review your process for collecting client’s data and ensure you are requesting an active opt-in. Be sure to record what, when and how they consented to opting in, and have strict policies on buying in data from external sources. Review contracts with third party processors and ensure they are fit for GDPR.
• Develop a culture, starting at board level, of transparency and accountability on how you use personal data.
• Ensure you have Director’s and Officer’s insurance or robust cyber security insurance policy in place and that your liability policy covers data breaches. Review current policies in place and examine the indemnity limits.
• Provide staff with regular and refresher training on best practices of cyber security and ensure security is a top priority across the business. Review these six sure steps to cyber security.
As John Catibog, Cyber Insurance Specialist at Indagard, explains, it isn’t just businesses in the UK that will be affected by GDPR. He says: “GDPR impacted Australian business with a presence (physical or not) in the EU when it began. Businesses must comply with the GDPR requirements on how data is collected, managed and secured. Some of these requirements include gaining consent in collecting personal data, allowing consumers right to be “erased” and notifying authorities of a breach within 72 hours. They are also subject to the penalties under the laws.
“The RIGHT cyber insurance can extend certain cover to activities in the EU IF that activity was disclosed to and accepted by underwriters. There’s a lot of misunderstanding with cyber insurance at present, so it’s best to have a tailored policy because, contrary to what most people think, not all policies are the same.”
It is important that as an organisation, you regularly update your network security, install and update anti-virus and anti-malware software and offer continued training to employees.
If you are unsure of what you need to do as a business to comply with the changes being enforced by GDPR visit the ICO website for more advice, and contact Bluedrop Services for an obligation free Director’s and Officer’s liability insurance or cyber security insurance quote today.