The General Data Protection Regulation (GDPR) came into force on 25.05.2018

Since compliance is an ongoing task for all businesses, our Free GDPR Toolkit (with infographics, marketing guidance, customisable sample policies and checklists) may be of use to you! The toolkit includes a Checklist, to map out which parts of the GDPR will have the greatest impact on your business model, and create a plan to focus on those areas in your planning process.

If you have yet to implement a data breach response policy, request a copy of our free sample GDPR compliant data breach response policy today!

If you are interested in future, free, business resources, guidance or regulatory information, please Actively Sign Up to receive occasional free resources, guidance & information from Insurance2day.

Who Does GDPR Affect?

All businesses that hold personal information (data) of clients, suppliers, staff etc 

Personal data = data that can identify a living individual e.g. name, address, e-mail address, phone number, IP address, pseudonym, photograph etc

Sensitive personal data = data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, biometric data, genetic data, health data etc

So What If We Don’t Comply?

  • Fines up to €20,000,000 or 4% of Turnover
  • Are Fines Insurable? Probably Not

So What Do We Need to Do?

  • Follow the Information Commissioner’s Office (ICO) 12 stepswhich in summary are as follows:

1. Awareness
Of changes and impact

2. Information You Hold
Conduct an Information Audit. Eliminate unnecessary processing & retention of data

3. Communicating Privacy Information
Issue/Update Privacy Notices (HR and external)

4. Individuals’ Rights
Ensure your procedures cover these

5. Subject Access Requests
Document your procedures for Handling Requests

6. Lawful Basis For Processing Personal Data
Document your legal basis for processing personal data and include in your Privacy Notice

7. Consent
Seek, Record and Manage Consent. Opt-In, not Opt-Out. See ICO’s consent checklist

8. Children
Parental Consent Needed for under 16s, for online services this is under 13

9. Data Breaches
Document your procedures to Detect, Report & Investigate Breaches

10. Data Protection by Design and Data Protection Impact Assessments
Identify and reduce the privacy risks of new projects or policies

11. Data Protection Officers
Required if “regular and systematic monitoring” of individuals at a large scale, or if a lot of sensitive personal data is processed

12. International
If data is shared outside of the EU

The Big Change with GDPR = Accountability

GDPR Compliance Check List:

1. Ensure senior management understand the requirements under GDPR

2. Appoint a Data Protection Officer (DPO), or a Data Protection Champion if a DPO is not compulsory

3. Provide (and Document) Staff Training

4. Conduct an Information Audit

5. Update/Create Privacy Notices for: (i) Employees and (ii) Customers/Suppliers

6. Establish a Culture of Monitoring and Assessment

8. Create Policies and Procedures

  • to ensure data is used and processed in a legally acceptable manner
  • to ensure consent is received and documented
  • to comply with data subject’s rights, including their rights: to be informed; to access; to rectification; to erasure; to data portability; to object to direct marketing; and to object to automatic decision making.
  • to store and retain data in line with GDPR requirements (minimising the risk of unnecessary processing and retention of data)
  • to follow in the event of a data breach
  • to follow if you transfer personal data outside of the EU
  • to incorporate ‘privacy by design’, for new projects or policies
  • to ensure any outsource providers will be GDPR compliant (e.g. pay roll, marketing etc)

9. Consider your Insurance Options

Are There GDPR Insurance Options?

Yes, insurance cover can be arranged, to provide:

  • Data breach crisis response and incident management
  • Defence costs in respect of regulatory investigations
  • Cover for contacting customers/suppliers, where legally required to following a breach of data protection law
  • Expert advice and assistance

The more comprehensive policies cover:

  • Electronic and/or Manual data breaches
  • Individual &Third Party Corporate Information data breaches

Complete the form below for details of our Cyber/GDPR data breach insurance solution

Fields marked with an * are required

Please carefully review the Statement of Fact below and advise if you do not agree with ALL of the statements:

  1. You EITHER do not store payment card data; OR you have fewer than 10,000 payment card data; OR all payment card data is encrypted when stored
  2. You do not collect or store the personally identifiable information of more than 10,000 individuals
  3. Any personally identifiable information stored on mobile devices such as USB sticks, laptops and tablets is encrypted
  4. You are not aware that you collect or store personally identifiable information of US citizens and no turnover is generated from sales to the US
  5. There is no reason to expect contentious content would appear on your website, posted by you or any other person
  6. You EITHER have evidence of training and a written statement on how to maintain the privacy of personally identifiable information; OR you have a plan to have these in place in the next 3 months
  7. You EITHER use a 3rd party provider (e.g. dropbox or cloud provider) to store data off your own network; OR complete regular back-ups of the computer network(s) and data and store the back-up off site
  8. You or any director, officer, board member, senior manager or employee of your organisation are NOT aware of any circumstance which may give rise to a claim or loss in respect of privacy, a breach of network or information security or unauthorised disclosure of information
  9. NO loss or claim, whether successful or not, has ever occurred or been made against you or your predecessors in business or any past or present director, officer, board member, senior manager or employee in respect of privacy, breach of information or network security, unauthorised disclosure of information, defamation or content infringement or cyber extortion
  10. You have NOT received any complaints with respect to, or suffered any problems relating to or been the subject of regulatory investigations or requests for information in respect of privacy, breach of information or network security, or unauthorised disclosure of information?

Disclaimer

The purpose of this overview is to provide a summary of our interpretation of aspects of the GDPR regulations. This is not an analysis of the law and does not constitute a legal opinion or advice by Insurance2day Insurance Services Ltd. The contents of this overview, or any downloads, should not be relied upon – all companies need to take their own specialist qualified legal advice on any matter that relates to GDPR.