The General Data Protection Regulation (GDPR) came into force on 25.05.2018
Since compliance is an ongoing task for all businesses, our Free GDPR Toolkit (with infographics, marketing guidance, customisable sample policies and checklists) may be of use to you! The toolkit includes a Checklist, to map out which parts of the GDPR will have the greatest impact on your business model, and create a plan to focus on those areas in your planning process.
If you have yet to implement a data breach response policy, request a copy of our free sample GDPR compliant data breach response policy today!
If you are interested in future, free, business resources, guidance or regulatory information, please Actively Sign Up to receive occasional free resources, guidance & information from Insurance2day.
Who Does GDPR Affect?
All businesses that hold personal information (data) of clients, suppliers, staff etc
Personal data = data that can identify a living individual e.g. name, address, e-mail address, phone number, IP address, pseudonym, photograph etc
Sensitive personal data = data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, biometric data, genetic data, health data etc
So What If We Don’t Comply?
- Fines up to €20,000,000 or 4% of Turnover
- Are Fines Insurable? Probably Not
So What Do We Need to Do?
- Follow the Information Commissioner’s Office (ICO) 12 steps, which in summary are as follows:
Of changes and impact
2. Information You Hold
Conduct an Information Audit. Eliminate unnecessary processing & retention of data
3. Communicating Privacy Information
Issue/Update Privacy Notices (HR and external)
4. Individuals’ Rights
Ensure your procedures cover these
5. Subject Access Requests
Document your procedures for Handling Requests
6. Lawful Basis For Processing Personal Data
Document your legal basis for processing personal data and include in your Privacy Notice
Seek, Record and Manage Consent. Opt-In, not Opt-Out. See ICO’s consent checklist
Parental Consent Needed for under 16s, for online services this is under 13
9. Data Breaches
Document your procedures to Detect, Report & Investigate Breaches
10. Data Protection by Design and Data Protection Impact Assessments
Identify and reduce the privacy risks of new projects or policies
11. Data Protection Officers
Required if “regular and systematic monitoring” of individuals at a large scale, or if a lot of sensitive personal data is processed
If data is shared outside of the EU
The Big Change with GDPR = Accountability
GDPR Compliance Check List:
1. Ensure senior management understand the requirements under GDPR
2. Appoint a Data Protection Officer (DPO), or a Data Protection Champion if a DPO is not compulsory
3. Provide (and Document) Staff Training
4. Conduct an Information Audit
5. Update/Create Privacy Notices for: (i) Employees and (ii) Customers/Suppliers
6. Establish a Culture of Monitoring and Assessment
8. Create Policies and Procedures
- to ensure data is used and processed in a legally acceptable manner
- to ensure consent is received and documented
- to comply with data subject’s rights, including their rights: to be informed; to access; to rectification; to erasure; to data portability; to object to direct marketing; and to object to automatic decision making.
- to store and retain data in line with GDPR requirements (minimising the risk of unnecessary processing and retention of data)
- to follow in the event of a data breach
- to follow if you transfer personal data outside of the EU
- to incorporate ‘privacy by design’, for new projects or policies
- to ensure any outsource providers will be GDPR compliant (e.g. pay roll, marketing etc)
9. Consider your Insurance Options
Are There GDPR Insurance Options?
Yes, insurance cover can be arranged, to provide:
- Data breach crisis response and incident management
- Defence costs in respect of regulatory investigations
- Cover for contacting customers/suppliers, where legally required to following a breach of data protection law
- Expert advice and assistance
The more comprehensive policies cover:
- Electronic and/or Manual data breaches
- Individual &Third Party Corporate Information data breaches
Complete the form below for details of our Cyber/GDPR data breach insurance solution
The purpose of this overview is to provide a summary of our interpretation of aspects of the GDPR regulations. This is not an analysis of the law and does not constitute a legal opinion or advice by Insurance2day Insurance Services Ltd. The contents of this overview, or any downloads, should not be relied upon – all companies need to take their own specialist qualified legal advice on any matter that relates to GDPR.