The General Data Protection Regulation (GDPR) came into force on 25.05.2018

Since compliance is an ongoing task for all businesses, our Free GDPR Toolkit (with infographics, marketing guidance, customisable sample policies and checklists) may be of use to you! The toolkit includes a Checklist, to map out which parts of the GDPR will have the greatest impact on your business model, and create a plan to focus on those areas in your planning process.

If you have yet to implement a data breach response policy, request a copy of our free sample GDPR compliant data breach response policy today!

If you are interested in future, free, business resources, guidance or regulatory information, please Actively Sign Up to receive occasional free resources, guidance & information from Insurance2day.

Who Does GDPR Affect?

All businesses that hold personal information (data) of clients, suppliers, staff etc 

Personal data = data that can identify a living individual e.g. name, address, e-mail address, phone number, IP address, pseudonym, photograph etc

Sensitive personal data = data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, biometric data, genetic data, health data etc

So What If We Don’t Comply?

  • Fines up to €20,000,000 or 4% of Turnover
  • Are Fines Insurable? Probably Not

So What Do We Need to Do?

  • Follow the Information Commissioner’s Office (ICO) 12 stepswhich in summary are as follows:

1. Awareness
Of changes and impact

2. Information You Hold
Conduct an Information Audit. Eliminate unnecessary processing & retention of data

3. Communicating Privacy Information
Issue/Update Privacy Notices (HR and external)

4. Individuals’ Rights
Ensure your procedures cover these

5. Subject Access Requests
Document your procedures for Handling Requests

6. Lawful Basis For Processing Personal Data
Document your legal basis for processing personal data and include in your Privacy Notice

7. Consent
Seek, Record and Manage Consent. Opt-In, not Opt-Out. See ICO’s consent checklist

8. Children
Parental Consent Needed for under 16s, for online services this is under 13

9. Data Breaches
Document your procedures to Detect, Report & Investigate Breaches

10. Data Protection by Design and Data Protection Impact Assessments
Identify and reduce the privacy risks of new projects or policies

11. Data Protection Officers
Required if “regular and systematic monitoring” of individuals at a large scale, or if a lot of sensitive personal data is processed

12. International
If data is shared outside of the EU

The Big Change with GDPR = Accountability

GDPR Compliance Check List:

1. Ensure senior management understand the requirements under GDPR

2. Appoint a Data Protection Officer (DPO), or a Data Protection Champion if a DPO is not compulsory

3. Provide (and Document) Staff Training

4. Conduct an Information Audit

5. Update/Create Privacy Notices for: (i) Employees and (ii) Customers/Suppliers

6. Establish a Culture of Monitoring and Assessment

8. Create Policies and Procedures

  • to ensure data is used and processed in a legally acceptable manner
  • to ensure consent is received and documented
  • to comply with data subject’s rights, including their rights: to be informed; to access; to rectification; to erasure; to data portability; to object to direct marketing; and to object to automatic decision making.
  • to store and retain data in line with GDPR requirements (minimising the risk of unnecessary processing and retention of data)
  • to follow in the event of a data breach
  • to follow if you transfer personal data outside of the EU
  • to incorporate ‘privacy by design’, for new projects or policies
  • to ensure any outsource providers will be GDPR compliant (e.g. pay roll, marketing etc)

9. Consider your Insurance Options

Are There GDPR Insurance Options?

Yes, insurance cover can be arranged, to provide:

  • Data breach crisis response and incident management
  • Defence costs in respect of regulatory investigations
  • Cover for contacting customers/suppliers, where legally required to following a breach of data protection law
  • Expert advice and assistance

The more comprehensive policies cover:

  • Electronic and/or Manual data breaches
  • Individual &Third Party Corporate Information data breaches

Complete the form below for details of our Cyber/GDPR data breach insurance solution

Fields marked with an * are required

Please answer the following 5 QUESTIONS:

4. Please carefully review the Eligibility Criteria below and advise if you do not agree with ALL of the statements

- Your company has been in operation for more than 24 months
- USA revenues are less than 25% of the overall revenue
- Revenues from online or automated platforms account for less than 25%
- Revenues from credit card transactions account for less than 25%
- If you handle credit card transactions, you are compliant with the data security standard of PCI (the Payment Card Industry Data Security Standard)
- You don’t use SCADA (Supervisory Control & Data Acquisition) or similar process control software
- You have not sustained any losses or has not been subject to any claims in the past 5 years which would be covered under the proposed insurance.
- There are no acts, errors, omissions, circumstances, facts, situations, events, incidents or transactions which you aware of, or ought reasonably to have been aware of, that may give rise to a claim or loss under the proposed insurance.
- All material facts have been disclosed.

Disclaimer

The purpose of this overview is to provide a summary of our interpretation of aspects of the GDPR regulations. This is not an analysis of the law and does not constitute a legal opinion or advice by Insurance2day Insurance Services Ltd. The contents of this overview, or any downloads, should not be relied upon – all companies need to take their own specialist qualified legal advice on any matter that relates to GDPR.