Jacqueline Cole, a member of the Forum of Insurance Lawyer’s directors and officers sector focus team, offers important tips for complying with GDPR
The General Data Protection Regulation (GDPR) will be implemented on 25 May. GDPR will apply when personal data of EU residents is collected, stored or otherwise used (processed), regardless of where the processing takes place.
Tips for GDPR compliance
- Establish what personal data you hold
- The GDPR contains a wider definition of personal data. The key to identifying whether data is personal data is to establish whether it concerns any information relating to an identified or identifiable natural person (the data subject)
- Identify if processing involves sensitive data. Examples of sensitive data include personal data concerning racial or ethnic origin, religious beliefs or sexual orientation
- Identify if you are a data controller or data processor
- A data controller is a natural or legal person or other body that, alone or jointly with others, determines the purposes and the means for the processing of personal data. A data controller may also collect, record, store, distribute or erase data
- A data processor is defined as a natural or legal person or other body that processes personal data on behalf of the controller. A processor may store, organise or transmit data on behalf of the controller
- Carry out an information audit to ensure compliance
- Data controllers must comply with the six lawful bases to process data, which require that the data subject consents to the nature of each data usage and that the processing is necessary
- Where there is a large scale processing of sensitive information, data controllers must carry out privacy impact assessments
- Data controllers must implement systems to comply with the new rights available to data subjects, including the right to rectification of data, restrict processing, erasure of data and the right to request a copy of the personal data provided to the data controller
- Data controllers and processors must ensure that there is adequate security in place to prevent data breaches
- Appoint a data protection officer (DPO). This requirement applies where a data controller or processor is a public body, monitors data on a large scale or is involved in large scale processing of personal data
- Implement a clear breach notification strategy. Data controllers must report, within 72 hours of any data breach, to the Information Commissioner’s Office and the data subject(s), as to the nature and scale of the breach, the potential impact on data subjects, and that action has been taken. Data processors must notify any data breach to the data controller
GDPR and director liabilities
By virtue of the increased obligations that are placed on senior management, coupled with a much tougher sanctions regime, GDPR is of huge significance for directors and directors and officers insurance. Risks include fines of up to 4% of global turnover, corrective actions such as a ban on data processing and civil compensation claims. To what extent directors and officers will be indemnified against these increased liabilities will no doubt prompt many policies to be carefully reviewed. GDPR’s overarching principle of accountability not only requires compliance but also the ability to demonstrate compliance.
Many of GDPR’s requirements and core concepts should be familiar as they reflect the continuation and evolution of existing obligations under the Data Protection Act 1998. However, there is no doubt that GDPR also provides a change of emphasis, adds new obligations and rights, and implements much stiffer penalties for getting it wrong. Companies and their directors and officers must ensure that they are able to demonstrate that their business systems and functions comply with the new regime.