On December 15, 2015, the European Parliament and the European Council agreed the EU Data Protection Reform, promising to make Europe fit for the digital age, but what is the General Data Protection Regulation (GDPR), what is its scope, and what do organisations need to do to comply with this new regulation. In this second part of a two-part article, Darren Wray looks at the additional rights that the GDPR grants data owners, and discuss what companies have to do.

Some background

The GDPR is an update to the European Data Protection Directive (DPD) which first came into force in December 1995, with the aim to provide protection for individuals and the processing of their personal data in the European Union. Considering that at the point of its implementation the internet was still something used by geeks and tech hobbyists, the directive could never have predicted how the world would change over the following 21 years, so despite having been amended a few times, this directive is long overdue for an update.

What is the scope of the GDPR?

The scope of the GDPR is global. Anywhere where private information that relates to people residing in the European Union is processed (this includes, collection, storage, updating, viewing, reporting or use of), it must be safeguarded and treated in accordance with the tenants of the GPDR. Failure to do so could result in fines being levied against the company, particularly if their actions lead to a loss of information or a data breach. It is important to remember that private information does not just relate to information that is captured for the purpose of providing a service, but also includes information that your organisation holds about its employees that reside in the EU.

How is the GDPR different from existing data protection?

Many of the basics of GDPR and its predecessor the DPD are similar, there are some key differences that mean that an organisation that is compliant with the DPD won’t necessarily be compliant with the GDPR.

The rights

There are a number of new or extended rights that a data controller must provide or perform, ether at the appropriate point in the lifecycle of the data, or in some cases at the request of the data subject or supervisor.

The right to erasure

Article 17 of the GPDR describes the right to erasure, this is sometimes known as the right to be forgotten. This means that a data subject’s data must be erased without undue delay when the data is no longer required in relation to the purpose for which it was collected.

For an insurance company this means that private information must be deleted once the policy, is cancelled, has expired or is not renewed.

Another aspect of Article 17 is that a data controller may have to restrict use of data whose quality has been contested by the data subject.

The right to portability

Article 18 provides the data subject the right to request a copy of personal data of theirs that is automatically processed.

The purpose of this export is to allow a data subject to more easily change service provider by being able to provide their data to the new service provider.

The data should be provided in a structured and commonly used, machine readable format. It is possible that a number of (sector specific) standards will spring up after the GPDR comes into force, however, at the moment it is likely that organisations will have to do some work to import the data in from their competitors.

Unambiguous consent for use of data

In common with the DPD, an organisation collecting personal information from EU residents, must clearly state the purpose for which the data is being collected, and the data subject must provide a clear and unambiguous consent for the use of their personal information for that purpose.

In the case of using personal information for marketing (as a secondary purpose) it is best practise for this use to be clearly identified and for the data subject to be able to opt-in to the receipt of marketing information.

It is imperative that organisations maintain an accurate record of the data subject’s agreement for their data to be used for the primary and any secondary purposes. Failure to do so may invalidate the organisation’s right or ability to use the data as desired.

Right of access

Data subjects have the right to ask a data controller if personal information about them is being processed. This right also allows for the data subject to request a copy of the personal information that the controller holds on the data subject, this information must be provided without undue delay, but a small fee can be charged by the data controller to provide the information.

What this means for an insurance company is that it needs to be able to perform a Right of Access report that would provide the details of a data subject should they make such a request. For most firms this may be complicated by their use of several systems (e.g. policy administration systems, claims systems, finance systems, HR systems), this will be further complicated if the organisation has been acquisitive and has not consolidated its systems.

Where the information is not held in a data warehouse or other centralised repository, the Right of Access report may need to be created a number of times.

Any information provided to the data subject should be decoded, so if for example the information provided includes details of a processing office, this should be decoded from the internally used code to an understandable description (eg B7 becomes Hamilton Office).

The need for a data protection officer

A data protection officer is mandated in certain circumstances (particularly where sensitive personal information is processed by the data controller) and for larger companies. Smaller companies are likely not mandated to have this role, but are likely to have the requirement on at least a part-time basis.

This person will be the point of contact with the data protection authority, and will be involved in actual or suspected data breached, it is likely that reviewing the right of access requests to ensure they are valid will form part of their duties.

Transferring data outside of Europe

Some organisations will be familiar with the difficulties in 2015 when the Safe Harbor Agreement principle (this allowed an organisation to send data to another company or another part of their own company based in the US) was deemed to be invalid.

The GPDR allows the establishment of Binding Corporate Rules (BCR) that allow data to be transferred outside of the borders of the European Economic Area, so long as it remains within the group. There is a process that needs to be followed to get the BCR in place and approved by the DPA, more information will be available from your chosen DPA.

What does your company need to do?

Organisations that are within scope (ie who are processing EU resident’s data) will need to implement changes to computer systems to ensure that new rights and regulatory requirements are supported while reviewing and changing their data orientated policies and procedures to ensure that they are fully compliant with the new requirements.

Organisations also need to ensure that their processes ensure the security and quality of the data being collected and set up Binding Corporate Rules to allow data to be transferred outside of the EEA. Finally, they need to implement business process change to ensure that new processes meet the requirements of the policies.

When does this have to be active?

2018 seems like a long time away but don’t be complacent about the timeframe. Many Bermudian-based companies have a large change agenda (the number of projects that they need to complete), and only a limited number of resources to work on new projects, so leaving an important project until the last minute is unlikely to be an option, particularly when the GDPR has such sharp and pointy teeth.

Darren Wray is the chief executive officer of Fifth Step and has more than 25 years of IT and management experience within the financial services and other sectors. Fifth Step operates globally from its offices in Bermuda, London and New York, providing IT leadership, change management, governance services to executives and senior managers within insurance, investment, legal and banking organisations of all sizes.