Daniel Fletcher from QBE Business Insurance examines the challenges which businesses and other organisations will face when the General Data Protection Regulation (GDPR) is introduced from May 2018, and how they can best adapt.
With warning bells still ringing following the malicious ‘WannaCry’ attack on computers and systems in over 100 countries last month, how we store and protect our data has moved centre stage.
It is against this background that the EU’s General Data Protection Regulation (GDPR) will – on 25 May 2018 – replace the UK Data Protection Act (DPA).
The new, wider regulation, which will be implemented despite Brexit, introduces stronger fines for non-compliance and will also apply to any non-EU company dealing with people in the European Union.
Accordingly, the GDPR will impact on a wide range of organisations, from the many large businesses who currently work with QBE on their insurance needs, through to future tours by international sports teams such as the British and Irish Lions (whose current tour of New Zealand is sponsored by QBE).
The Act clarifies how businesses should process and store data and mandates that, after a data breach, people will be able to seek redress if non-compliance has caused “distress”, rather than any specific financial hardship.
Businesses will also no longer be able to remain silent about breaches (to avoid reputational impact and embarrassment) and will have an obligation to inform their local supervisory authority within 72 hours. Failure to comply will lead to fines of up to 4 per cent of global annual turnover or €20m – whichever is greater.
Under the new rules, data controllers will have to go to greater lengths to demonstrate valid consent for data usage, for example, a positive indication of agreement to personal data being processed, backed up by a clear and effective audit trail.
An individual will be able to ask for a copy of any data an organisation may hold about them, as well as details of why it’s being processed and the source of the data. In most cases, companies will not be able to charge for complying with a request and will only have a month to act, rather than the current 40 days.
The GDPR will also enhance cybersecurity, a key concern given figures released by ActionFraud last year showing UK businesses lost more than £1 billion to online crime in the year to March 2016.
So what can businesses be doing now to prepare for this new regime?
In January, QBE European Operations established an expert working group to draw up a model – to define our data protection capabilities – in line with the new legislation.
Crucially, we treated the new regulations as a business-change issue, centred on driving cultural change within the organisation, and not an IT issue. With that in mind we believe change should be driven from the ground up. Buy-in at Board level should be made easier, once executives realise their reputation is at stake.
QBE also runs regular breach scenarios to help the business prepare for a data breach – ensuring the implementation of robust security measures.
Under the GDPR, businesses will have to implement technical and organisational measures to ensure a level of security appropriate to the risk, whilst at the same time be able to show they have integrated data protection into all processing activities.
Our advice - the earlier businesses begin planning for GDPR compliance, the better. New procedures might be required to deal with the need to be transparent about data handling and subject rights and consideration should be given to the budget, personnel and governance implications these changes could have.
The scope of the business change required for GDPR should not be underestimated. It affects the majority of business processes and will require major change to the culture of business and the majority of the IT estate. Estimated costs of compliance have ranged from £1 - £20million per business across London.
Data protection is about more than email marketing and hanging on to files longer than is necessary, just as cyber-security is about much more than just hacking or phishing. If businesses are to stay ahead of the curve, they are going to have to start adapting to this shifting regulatory environment as soon as possible.
Daniel Fletcher is a Cyber Expert at QBE Business Insurance. For more information on QBE, please visit: https://qbeeurope.com/
If you would like to know more about how your business can become complaint with GDPR, click here for the GDPR Summit London, 30th January.