GDPR, a Tale of Procrastination, Delusion and Underinvestment?


The General Data Protection Regulation (GDPR) comes into enforcement from May 25th, 2018.  The potential fines that can be levied by GDPR are large numbers. At their extreme they can be as great as €20m or (and this makes it important to companies of all sizes), 4% of global revenue, whichever is the greater.

The (re)insurance market may, however, be failing to address the challenges brought about by GDPR. According to Fifth Step CEO Darren Wray there are a number of causes of those failures. Wray said: “The first driver of likely non-GDPR compliance is procrastination. In some cases, this is a result of not recognising the scale of the GDPR programmes, which did not make the progress they needed to in 2017. My observations are further borne out by a recent survey by the law firm Paul Hastings, in which they find that only 39% of UK and 47% of US firms have an established GDPR programme.”

Other failures include

Delusion - Many insurance carriers and brokers that have implemented GDPR programmes believe that they don’t have too much to do because they’re compliant with the EU data protection directive (the Data Protection Act in the UK). This is a false assumption for many insurance businesses as their processes and systems have all changed significantly since most firms last looked at data privacy. As a result, their GDPR programmes need to have a larger scope than was initially assumed.

Under-investment – According to the Paul Harvey survey, only 10% of UK companies have allocated a budget for GDPR compliance.

Wray says: “In my experience, the number of insurance firms allocating a budget is higher than 10%, however, these budgets are not always based on correct assumptions therefore the project teams are likely to be asking for additional investment, or changing the scope to meet the budget. This often isn’t the best approach for compliance projects.

Some (re)insurers are also falling into the trap of thinking that GDPR is a “one and done” project (this is why some firms didn’t maintain their DPD compliance as tightly as they should have). For the GDPR some firms will require a data protection officer (in some cases they may need to be a full-time position but others might look at a DPO service offered by specialist third party contractors). This means that GDPR is likely to feature on most organisations’ budgets in some form going forward.”

Wray concludes: “Having the right resources in your GDPR programme can make a massive difference, either to supplement existing internal resources or playing a larger role. Indeed, having resources with access to the right experience right now could be the difference between a successful programme and one that is still running in January 2020.”

Darren Wray is CEO of Fifth Step Limited, who work closely with the insurance and financial services sector. Wray is also the author of The Little Book of GDPR, which is available from Amazon.


Darren Wray's picture
Darren’s background is in strategic management of IT for organisations from start-up to multinational corporates. His experience encompasses a number of industry sectors, including financial services and media.
If you would like to contact , please Click Here and submit your enquiry and youTalk-insurance will pass your comments on.

Add new comment

Filtered HTML

  • Empty paragraph killer - multiple returns will not break the site's style.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd><p><br><h2><h3><h4><h5><h6><hr><img>
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

Plain text

Agree to terms

By posting a contribution to the youTalk-insurance blog you will be giving youTalk-insurance your full consent to post your contribution, should we choose to do so and you will be deemed to have given us a free licence on a perpetual basis to adapt, modify and incorporate your contribution. By posting to the youTalk-insurance website you are fully responsible for the accuracy, completeness, veracity, honesty, exactitude, factuality and politeness of comments you make. All contributions to youTalk-insurance must not contain anything that is unlawful, offensive, abusive, threatening, defamatory, obscene or discriminatory nor shall it infringe the rights of anyone else.