With just over a year to go before the new General Data Protection Regulations (GDPR) bring significant changes, Steve Sands, chief information security officer (CISO) and data protection officer (DPO) at Synectics Solutions shares five things all data controllers and processors needs to know.
- GDPR will become fully enforceable from 25th May 2018
- There will be just six key principles, which focus on data access and its use being lawful, fair and transparent and only for explicit and legitimate purposes.
- New accountability requirements bring sanctions and breach penalties that will make businesses sit up and take notice – including fines of up to 4% of turnover.
- There is likely to be a shortage of expert data protection officers as all businesses with more than 250 employees or those who process data for more than 5,000 subjects will be affected by GDPR.
- GDPR enshrines the right of portability of data between companies.
So, what is changing?
According to a report published by PwC in May 2016, below are the main points that the GDPR regulation will change.
- Data breach deadlines: Insurers will have just 72 hours to disclose a personal data breach to the regulators, and in some cases to the affected individuals.
- Better quality consents required: Insurers will have to meet tougher quality requirements for legal consent, if they want to rely on consent to process personal data. Customers must give that consent freely and on the basis they have been fully informed about the nature of each type of usage. The insurer will have to be able to prove that they have obtained consent of the right quality.
- Privacy by design: Insurers will be required to minimise the collection and use of personal data – and will be expected to do this automatically as they design new products and services.
- New fines and penalties: Regulators will have the power to fine insurers up to €20m or 4% of worldwide annual turnover (whichever is higher) for the most serious breaches of data protection laws.
- Processing now at risk: Customers will have the right to object to having data on them used for insurance activities such as risk and pricing modelling unless the insurer has compelling and legitimate reasons for doing so. Customers have the right to object to data processing for direct marketing.
- Profiling gets tougher: Insurers won’t usually be allowed to make decisions about customers purely on the basis of automated processing, including profiling, unless they have established a legal right to do so, which will generally be contract-based.
- New right to be forgotten: Customers will be entitled to ask insurers to delete their personal data where it is no longer required for its original purpose, or where they have withdrawn their consent.
- Portability guaranteed: Customers will be entitled to request that their personal data is transferred from one insurer to another as they switch companies. Insurers will be obliged to facilitate this.
- International data transfers: While EU data transfer rules are not fundamentally altered, there will be enhanced regulation of the mechanisms put in place to ensure that personal data is properly protected when abroad.
- Data protection officers: Some commentators are interpreting the GDPR as requiring the compulsory employment of Data Protection Officers (DPOs) in the insurance sector. PwC considers that DPOs are required as a matter of good governance in all cases.