GDPR – Data Protection But Not As We Know It


On the 25th May the General Data Protection Regulations ( GDPR ) comes into force which will change the whole world of how personal data is managed for individuals that live within the EU member states.

The concept behind this is to give people back control of their data which imposes strict data protection obligations on businesses and provides individuals with the right of redress should their data not be managed in accordance with these regulations.

Despite the fact that the UK will be leaving the EU next year, the regulations will apply to UK businesses after which these will then be replaced by the proposed Data Protection Bill that will impose similar data protection regulations.

GDPR is arguably long over due, in the UK we currently have the Data Protection Act 1998, to put this into context at the time that this was implemented , there are analogue television and dial – up internet…. .. The increase in the use of personal data has increased dramatically since then due to the advances in technology and how people interact with the many modes of communication such as social media.

In the UK the Information Commissioners Office (ICO) will monitor and regulate the GDPR. The ICO website provides a guide to businesses explaining their obligations and to help those individuals who have day to day responsibility for data protection within their organisation.

In order to help businesses prepare for for these new regulations the ICO have published “Preparing for the GDPR – 12 Steps to take now

What types of data does this apply to ?

This relates to any information which is personally identifies an individuals and includes the following :-

Names & addresses

Passport Number

National Insurance Number


Biometric data such as fingerprints , iris scanning and voice recognition

The Dangers of Non-Complaince 

The profile of GDPR is gathering moment and no doubt individuals will wish to be aware of the amounts data that is held against their name. With this will bring about situations where individuals request details and these are unavailable due to non-compliance with business being unable to produce the information at all or within the required time limits.

The other issue and the one with the most significant consequences is where a business suffers a data breach as a result of a hacker attack or an perhaps an error or deliberate act by an employee, the details are then disseminated into the public domain or used for ill gotten gains. The ICO has powers to issue fines of up to 4% of  worldwide turnover of a businesses or 20 million Euros whichever is the greater. This is an uplift from GBP500,000 under the current regulations, this therefore represents a significant increase and demonstrates that a serious non-compliance will have severely consequences.

Managing GDPR

It will be essential that the correct processes and procedures are in place and in the event of a data breach it is important that an incident response plan is readily available whether this having been drawn up internally or with the help of a specialist consultancy. The incident response plan will consists of various vendors to help manage the breach such as lawyers and public relations consultants.

A cyber insurance policy provides such resources and is offered by insurers on a 24/7 basis should the policyholder be subject to a data breach.

The management of these new regulations within a businesses is going to be a fundamental focal point going forward with personal at all levels needing to be aware of their day to day obligations in the processing and handling of data.

Image : Shutterstock

Cyber Security – New EEC Directive

Cyber Security - New EEC Directive

This week the EEC announced  the first cyber security law , the Network and Information Security Directive . This is a security and reporting directive for companies in critical businesses sectors such as transport , energy , health and finance. This will also apply to to the likes of Google and Amazon .

The directive is primarily two fold :-

1.Requirement of companies to report cyber security breaches

2.Requirement of companies to ensure that they have a secure digital infrastructure in place.

A body of teams will be set up manage incidents in the shape of Computer Security Incidents Response Teams (CSIRTS).

This is likely to ensure greater visibility of cyber crime and data breaches within companies. The impact of which could have commercial consequences as to whether companies can be considered to have adequate cyber security in place by its trading partners . The emphasis of this law is clearly to encourage companies to address their  cyber security and it would be prudent that companies are proactive now in order to be ready for the implementation of this law which is anticipated to come into force within the next two years .

This is a timely decision, as in the US this week , the Federal Trade Commsssion won a lawsuit against Wyndham Worldwide Corporation who failed to properly safeguard customers information . Three separate data breaches were suffered affecting 619,000 customers and led to $10.60M in fraudulent credit card charges. As a result of this Wyndham will be required to improve all aspects of their cyber security.

This new directive should not be confused with the General Data Protection Regulation which will bring unformity to data protection laws in the EEC and compulsory data breach notification for all businesses.

The impact of this new directive will no doubt provide insurers in the cyber liability insurance market with some much needed comfort as one of their focuses in their rating and assessment of exposures is the level of cyber security.

If  this is going to improve it will eventually impact on premiums and conceivably exert downward pressure on premium rates.