The General Data Protection Regulation (GDPR)  came into force on 25.05.2018 and with it many changes from the previous Data Protection Act (DPA).

For businesses and organisations already complying with previous data protection laws, the new regulation is only a “step change”. If you were previously subject to the DPA, it is likely that you are also subject to the GDPR.

Under GDPR, the “destruction, loss, alteration, unauthorised disclosure of, or access to” people’s data must be reported to those affected and the Information Commissioners Office (ICO) within 72 hours of discovery.

Can Insurance Cover be Arranged?

Yes, please complete the form below for details of our Cyber/GDPR data breach insurance solution

Fields marked with an * are required

Please answer the following 5 QUESTIONS:

4. Please carefully review the Eligibility Criteria below and advise if you do not agree with ALL of the statements

- Your company has been in operation for more than 24 months
- USA revenues are less than 25% of the overall revenue
- Revenues from online or automated platforms account for less than 25%
- Revenues from credit card transactions account for less than 25%
- If you handle credit card transactions, you are compliant with the data security standard of PCI (the Payment Card Industry Data Security Standard)
- You don’t use SCADA (Supervisory Control & Data Acquisition) or similar process control software
- You have not sustained any losses or has not been subject to any claims in the past 5 years which would be covered under the proposed insurance.
- There are no acts, errors, omissions, circumstances, facts, situations, events, incidents or transactions which you aware of, or ought reasonably to have been aware of, that may give rise to a claim or loss under the proposed insurance.
- All material facts have been disclosed.

What is meant by “data”?

Both personal data and sensitive personal data are covered by GDPR.

Personal data, broadly means a piece of information that can be used to identify a person. This can be a name, address, IP address, etc

Sensitive personal data encompasses genetic data, information about religious and political views, sexual orientation and more.

These definitions are largely the same as those within current DPA, but where GDPR differs is that pseudonymised personal data can fall under the law – if it’s possible that a person could be identified by a pseudonym.

What organisations are covered by the GDPR?

Companies covered by the GDPR will be more accountable for their handling of people’s personal information. This can include having data protection policies, data protection impact assessments and having relevant documents on how data is processed.

For companies with more than 250 employees, there is a requirement to have documentation supporting why people’s information is being collected and processed, descriptions of the information that’s held, how long it’s being kept for and descriptions of technical security measures in place.

For companies with less than 250 employees, those that have “regular and systematic monitoring” of individuals at a large scale, or process a lot of sensitive personal data, must employ a data protection officer (DPO). This may mean having to hire somebody specifically to fit this new role or incorporating the responsibilities within an existing role.  However, the person must report to senior members of staff, monitor compliance with GDPR and be a point of contact for employees and customers.

What do we need to do to achieve compliance?

The Information Commissioners Office (ICO) has put together a 12-point action plan.

Ignoring or getting it wrong could be costly: infringement can bring fines of up to 4% of annual global revenue and damage corporate reputation

Act now!