EU member states have now operated within the General Data Protection Regulations (GDPR) for 2 years since they came into force on 25 May 2018, bringing with them a huge change in data protection law.
The GDPR seeks to balance the privacy rights of individuals with the capacity of businesses to use data for their own purposes in the internet era. In most organisations, the IT and Data Privacy teams have led the compliance project. However, risk managers have had a major role to play in ensuring that the risk of non-compliance is understood by all employees and stakeholders (e.g. contractors and suppliers) and that the organisation develops a GDPR-aware culture. Complying with the GDPR is an enterprise risk that requires organisation-wide change. As major breaches of the regulations and the implications of these are announced, Airmic members can continue to support their organisations in navigating the changing road map to compliance.
This white paper, developed with BLM, follows two previous Airmic papers on the GDPR (see details below) and highlights some of the notable developments since the law came into force and the implications for organisations.
- The EU General Data Protection Regulations: What risk managers need to know (Airmic 2017).
- GDPR Goes Live: A framework for Airmic members (Airmic 2018).
A reminder: major provisions:
- Mandatory reporting of data breaches within 72 hours.
- Hefty fines of up to the greater of 4% of annual global turnover or €20 million.
- Appointment of a Data Protection Officer (DPO), for prescribed organisations.
- Expanded scope, applying to data controllers and now data processors.
- Expanded definition of personal data, including online identifiers.
- Expanded reach, applying to organisations within or targeting the EU.
- New rights for data subjects, including the right to be forgotten and the right to data portability.
- Easier access by individuals to their own data, including a right to more extensive information.
GDPR: The practical consequences since May 2018
Despite the noise surrounding the GDPR coming into force, the consensus was that there would be significant delays before breach investigations by the Information Commissioners Office (ICO) would lead to hefty fines. Organisations anticipated a lenient approach from regulators and hoped that by taking action to investigate the data they hold and how it is processed, they would be considered compliant. However, the extremely high-profile investigations into organisations such as British Airways, coupled with a heightened public consciousness of data protection issues and the rights of individuals, means that the GDPR is something organisations must continue to consider and address.
Airmic member organisations have experienced the following changes:
- A vast increase in the number of data breach notifications they are making to the ICO.
- A challenge in meeting the 72-hour reporting requirement.
- IT and Data Privacy teams being the focus during investigations.
- Major increases in investigation costs and liability payments.
- A tolerance from the ICO towards small businesses but some headline fines imposed on major corporates.
- A tendency of the public to exercise the new subject access rights more than any other GDPR rights.
- A much greater consciousness of the accountability principle.
The ICO is under a huge strain, with some reports stating that its notification hotline is receiving 500 calls a week, at least a third of which are quickly identified as concerning issues that do not need to be reported. This highlights the incredibly cautious approach being taken by organisations in the UK.
Tim Smith says: “There is increased awareness (often through training received at work) on the part of individuals as to their rights under the GDPR and the Data Protection Act 2018, and the obligations imposed on organisations. This, coupled with awareness of breaches, some favourable decisions from the courts and claims farming by claimant lawyers, has led to an increase in the number of such claims.”
A checklist for risk managers: 7 questions to ask now and 7 continuous steps to take
Complying with the GDPR is not a one-off project. An integrated, thorough and transformational programme is required that addresses how an organisation’s personnel, processes and systems handle personal data. Compliance programmes must be ongoing and iterative, considering lessons learned and best practice, and testing procedures.
Click the image to expand
What can Airmic members learn from the major investigations and fines so far?
In July last year, the ICO announced its intention to fine British Airways £183.4 million and Marriott £99.2 million. These were “notices of intent” rather than final determinations and the ICO has recently announced that the period for challenging the notices of intent has been extended until 31 March 2020.
- Businesses can reduce fines by co-operating with investigations and taking steps to swiftly identify the cause of the incident, rectify the data, notify affected individuals and implement security improvements.
- Organisations must develop robust processes for checking the data protection protocols and controls of third parties. The distraction of a merger or acquisition can drag away resource at a time when the GDPR risk is at its highest.
- The ICO is not just focusing its investigations on technology firms, as some expected.
- As well as fines, regulators are also using their right to issue ‘stop processing’ notices, which require an organisation in breach of the GDPR to cease the particular data processing that is being investigated.
- The complex issues of “consent and transparency” underpin many complaints. Organisations must demonstrate that they are clear and concise when describing to data subjects how they use their personal data.
- The ICO is adopting a tough stance even where the breach is the work of an external party or a criminal hack. Organisations must demonstrate that they are taking data privacy seriously.
- How can cyber insurance support organisations?
The availability and benefits of cyber insurance have become clearer as organisations have improved awareness of their obligations, have been hit with data access requests and breaches, and have stress tested gaps in existing cover. Investigation costs and liability payments have risen as breaches and incidences of cyber-crime have risen. As claims start to hit, cyber products are becoming more refined and tailored. Airmic members have had success in using this awareness to begin meaningful conversations with their IT and Data Privacy teams around cover.
The GDPR is a sweeping set of rules which has created a wider range of triggers and broader potential breaches than those catered for within a typical cyber policy. BLM highlights that insurer-backed incident response teams are swift and effective in unravelling breach incidents, which supports organisations meeting the 72-hour reporting requirements, and in demonstrating to the ICO that action has been taken to contain a breach and prevent it happening again. In most cases, investigation costs, restoration costs, and other costs and liabilities associated with the breach are insurable. However, the ultimate question for organisations is whether GDPR fines and penalties can be covered, as these have the potential to be huge in size and their insurability varies by local law.
Organisations should seek affirmative cover for fines and penalties for a breach of the GDPR, where insurability is possible.
Key factors in answering the insurability question will likely include:
- What is the nature of the fine or penalty and what has led to the non-compliance?
- Intentional or reckless wrongdoing?
- Strict or no-fault liability?
- Does the policy expressly provide or preclude coverage?
- What is the choice of law provision in the policy?
- What are the decisions of the courts in the relevant jurisdictions?
“In order to maximise the potential for recovery, you should challenge standard policy exclusions that preclude insurance coverage for fines unless they are ‘insurable under the applicable law’. To do so, you should seek greater certainty by preventing insurers from denying claims unless they are expressly prohibited by a court within the appropriate jurisdiction. Doing this removes the potential for interpretation of common law by insurers’ claims teams and puts the onus on an independent third party to prevent recovery." Graeme Newman, Chief Innovation Officer, CFC Underwriting