100 Leadenhall Street London, EC3A 3BP
+44 (0)20 7173 7000
  • About Chubb

    ACE has acquired Chubb, creating a global insurance leader operating under the renowned Chubb name. Chubb is the world’s largest publicly traded property and casualty insurer, with operations in 54 countries, exceptional financial strength, and a broad range of personal and commercial insurance products.

    At Chubb, we’re committed to providing the very best insurance coverage and service to individuals and families, and businesses of all sizes. While we may look different, rest assured that all current ACE and Chubb policies remain in place.

The data deadline – GDPR are you prepared?


With the clock ticking on the introduction of new data protection regulations, Chubb asks what companies should be doing to prepare.

The name of Europe’s new data regulation might not be eye-catching, but the potential fines certainly are. When the General Data Protection Regulation (GDPR) comes into force in May 2018, companies found to be non-compliant could stand to lose 2–4% of their global turnover. Any company handling personal data of EU residents will be affected, even if they are based outside the region. Yet, a global survey by Dell in October 2016 found that 97% of companies do not have a plan in place to meet the new requirements.

The GDPR essentially builds on existing data protection rules, taking existing privacy rules but enhancing regulatory requirements. A good example is the enforcement regime, which will give regulators powers to levy much bigger fines for non-compliance. Another big change is a requirement to notify regulators within 72 hours of a security breach. The rules around collecting consent to use individuals’ data will also change and privacy policies issued to users must provide more information to explain exactly how data is going to be used. Consumers will get new rights to change preferences, be forgotten and move their data between service providers. Some organisations will need to appoint a data protection officer and carry out privacy impact assessments before engaging in higher risk projects.

Looking ahead to May, here are some of the basic steps organisations should take to prepare, but this is a significant piece of legislation with wide-reaching effects, so this list is by no means exhaustive:

Data mapping – one of the first steps any organisation should take is to work out what data it holds and how it is being used. Andrew Dyson, Partner at law firm DLA Piper, explains: “Work out what data you’ve got, where it’s sitting, who’s using it and how it’s being managed. In tandem with that, work out where there might be gaps – where you might be collecting data but you don’t have a proper privacy policy, where you might not be getting the right consent, or where you might be relying on a third party to help manage your systems but don’t regulate data under your contract.”

Culture change – ensure that key individuals take ownership of compliance and understand the impact of GDPR throughout the business. Andrew says: “The organisation needs to build an accountability framework that you can use to demonstrate to a regulator that you know what your responsibilities are and have a clear plan and set of policies to effectively manage compliance within the business. That is really important to mitigate risk.”

Breach policy – the 72-hour notification window is short, so it is important to have a strong cyber breach policy in place. Once a breach has been identified, organisations will need to determine whether it involved personal data, work out whether there is a duty to notify and then inform the regulator. Chubb’s Regional Manager for Cyber Risks, Continental Europe, Kyle Bryant, says: “There are some easy things you can do to prepare, such as making sure that the lines of communication are strong. When we go in to advise clients, we ask how someone in their organisation would report an incident and do they need to shorten that time frame?”

Privacy policies – most privacy policies will need to be refreshed to meet obligations under the GDPR. “You’ll have to give people more information about how you’re looking to use their data, so rather than just saying ‘we will use your data for marketing purposes’, you will actually need to break down the activities to provide more granularity about what you are doing and who you will be sharing it with. It’s about giving people a lot more transparency and control of what is happening with their data and what their rights are,” says Andrew. Privacy must also be taken into consideration throughout the design process of new products or services.

IT infrastructure and security – users must have the option to change their preferences, to move their data and to be forgotten. That means technical teams will need to adapt the systems currently in place. Kyle also encourages clients to assess their security preparedness: “If the client has a low or moderate level of security, we like to move them up one notch. We need to try and improve them incrementally in order to prepare.”

If you would like to talk to Chubb about the issues raised in this article, Click Here, provide some information and youTalk-insurance will put you in touch.

Latest video

Chubb 'The principles behind our work' (video)

Watch Chubb Chairman and CEO Evan Greenberg discussing the ideals that drive the new Chubb in this short video ‘The Principles behind our work’ click here for more