GDPR – two years on

Published on Thu, 14/05/2020 - 12:33

Two years after the the General Data Protection Regulations (GDPR) came into force, Airmic has published a white paper outlining the actions taken so far, lessons learnt and a checklist for risk professionals.

The paper, GDPR – 2020, was developed in partnership with BLM and also includes postscript outlining the implications of COVID-19 on cyber security and data privacy.

“The GDPR might not be top-of-mind for risk professionals now, given that exigencies related to the COVID-19 pandemic has overwhelmed many,” said Hoe-Yeong Loke, Airmic’s research manager.

“Nevertheless, a number of implications for data protection and cyber security have arisen, and they require attention. This white paper also usefully includes a checklist for risk managers in complying with the GDPR as an ongoing programme.”

The key takeaways from major investigations and fines to date include the benefits of cooperation early on with investigators to reduce penalties and implement security improvements, the potential for the Information Commissioners Office (ICO) to issue ‘stop processing’ notices when they are investigation and the need to develop robust processes for checking the data protection protocols and controls of third parties.

“There is increased awareness (often through training received at work) on the part of individuals as to their rights under the GDPR and the Data Protection Act 2018, and the obligations imposed on organisations,” said Tim Smith, partner at BLM. “This, coupled with awareness of breaches, some favourable decisions from the courts and claims farming by claimant lawyers, has led to an increase in the number of such claims.”

The paper also contains a discussion on insurability and how organisations should seek affirmative cover for fines and penalties for a breach of GDPR, where possible.

“In order to maximise the potential for recovery, you should challenge standard policy exclusions that preclude insurance coverage for fines unless they are ‘insurable under the applicable law’,” said Graeme Newman, chief innovation officer at CRD Underwriting.

“To do so, you should seek greater certainty by preventing insurers from denying claims unless they are expressly prohibited by a court within the appropriate jurisdiction. Doing this removes the potential for interpretation of common law by insurers’ claims teams and puts the onus on an independent third party to prevent recovery.”

To read the full GDPR – 2020 paper, click here.