The General Data Protection Regulation (GDPR) comes into enforcement from May 25th, 2018. The potential fines that can be levied by GDPR are large numbers. At their extreme they can be as great as €20m or (and this makes it important to companies of all sizes), 4% of global revenue, whichever is the greater.
The (re)insurance market may, however, be failing to address the challenges brought about by GDPR. According to Fifth Step CEO Darren Wray there are a number of causes of those failures. Wray said: “The first driver of likely non-GDPR compliance is procrastination. In some cases, this is a result of not recognising the scale of the GDPR programmes, which did not make the progress they needed to in 2017. My observations are further borne out by a recent survey by the law firm Paul Hastings, in which they find that only 39% of UK and 47% of US firms have an established GDPR programme.”
Other failures include
Delusion - Many insurance carriers and brokers that have implemented GDPR programmes believe that they don’t have too much to do because they’re compliant with the EU data protection directive (the Data Protection Act in the UK). This is a false assumption for many insurance businesses as their processes and systems have all changed significantly since most firms last looked at data privacy. As a result, their GDPR programmes need to have a larger scope than was initially assumed.
Under-investment – According to the Paul Harvey survey, only 10% of UK companies have allocated a budget for GDPR compliance.
Wray says: “In my experience, the number of insurance firms allocating a budget is higher than 10%, however, these budgets are not always based on correct assumptions therefore the project teams are likely to be asking for additional investment, or changing the scope to meet the budget. This often isn’t the best approach for compliance projects.
Some (re)insurers are also falling into the trap of thinking that GDPR is a “one and done” project (this is why some firms didn’t maintain their DPD compliance as tightly as they should have). For the GDPR some firms will require a data protection officer (in some cases they may need to be a full-time position but others might look at a DPO service offered by specialist third party contractors). This means that GDPR is likely to feature on most organisations’ budgets in some form going forward.”
Wray concludes: “Having the right resources in your GDPR programme can make a massive difference, either to supplement existing internal resources or playing a larger role. Indeed, having resources with access to the right experience right now could be the difference between a successful programme and one that is still running in January 2020.”
Darren Wray is CEO of Fifth Step Limited, who work closely with the insurance and financial services sector. Wray is also the author of The Little Book of GDPR, which is available from Amazon.