How GDPR changed the world and the way it handled data

No comments

As the introduction of the EU’s General Data Protection Regulations nears it second birthday, Insurance Times looks at how it has put data protection at the top of most firms’ agendas

This month marks two years since the General Data Protection Regulations (GDPR) were introduced on 25 May 2018. The regulations were brought into force by the EU, but have had an impact on businesses around the globe as data continues to cross borders.

GDPR is a significant and complex set of regulations with implications for data subjects, data controllers or processors; and data privacy regulators.

The implementation of any such regulations can have problematic passages and unintended consequences, while critics will be gauging its efficiency and effectiveness. So, how is GDPR being viewed after two years of regulating data?

“There’s been an uptick in compliance and, slowly but surely, awareness has increased. There’s no doubt at all that GDPR has massively increased the seriousness with which businesses of all sizes take data protection,” said Jon Bartley, Partner at law firm RPC.

“Data protection is now at, or near, the top of most boards’ agendas. Particularly with larger organisations, the general trend is that it has moved from a tick-box exercise to making sure that compliance culture is embedded throughout the business.

“The increased awareness and risk has, in turn, materially increased the amount of investment in compliance,” Bartley added.

“Now that the dust has settled, people are looking at this with the benefit of a bit more time, more guidance from the regulators, and they can see what their competitors are doing.

“They are asking if they did it right, did they do enough, is what they did still valid or does it need updating?”

Twofold

The impact of GDPR on the insurance sector was twofold, as not only did the industry need to make sure it was compliant in regards to the vast volumes of personal data it collectively held, it also meant increased demand from policyholders.

As well as representing probably the biggest shake-up of data protection regulations ever implemented, GDPR was widely predicted to provide a major boon to cyber insurers.

Caspar Stops, head of Cyber at managing general agents Ascent, said his company started writing cyber in 2013. “Privacy was becoming a big deal. There were some very big losses being publicised, mainly in the US. The public view of privacy really went up a notch in terms of awareness.

“But was privacy on the radar of organisations? Some sectors, like healthcare, were very conscious of privacy, but a lot of other businesses not so much.

“Along came GDPR, which was very well publicised, particularly in the UK. What we learnt from an insurance standpoint was that businesses really sat up and took notice of it.

“We were asking insureds: ‘Are you GDPR-compliant?’ It was on all their risk radars. They were all thinking about the personal data they held and how they were going to become compliant.”

He said his company had a lot of US and Canadian businesses in its portfolio and they were taking notice, partly because they had to.

“It affected all these people they traded and did business with, so they were also working hard to become GDPR compliant, Stops added.

“What that did is, across the board, improve data protection and privacy risk. That’s what it should do.”

GDPR: industry reaction

Could it be better?

Parts of GDPR could be improved to make it more effective, simpler to comply with and easier to enforce. Businesses need more clarity on the way fines are calculated, while insurers have questions around the insurability of fines and penalties that come out of GDPR. This is partly due to the lack of case law to use as examples.

Gillian Anderson, head of cyber and tech at The Channel Syndicate, said “It is a complex subject for insurers to take on. We did have data standards beforehand, but GDPR has been the buzzword for the past few years with insureds.

“However, there’s a lot of uncertainty around the insurability of fines and insurers and brokers are trying to broaden the wordings as far as they can. The fines that the industry has seen are under appeal and it’s likely to be quite a lengthy process before we work out whether they are insurable,” Anderson said.

What other problems are there?

There are misunderstandings about some processes under GDPR, as well as consumer rights.

Rhiannon Webster, data risk partner at law firm DAC Beachcroft, said: “One particular bugbear is access request. People can pay £10 to get access to their personal data. £10 isn’t much of a barrier and because of GDPR people are making more and more access requests. Lots of our clients struggle to meet the 30-day deadline. So, that obligation could be a bit more reasonable.

“There’s a lot of misconception of the right to be forgotten, but it only applies in certain circumstances. Lots of people write to insurers saying we’re no longer a customer or we once had a quote but we want to be forgotten and we don’t want you to have our data anymore.

“As insurers are regulated entities that doesn’t apply and, even though you can only keep data for a reasonable time, the need to keep records of transactions, because of regulatory requirements, overrides the right to be forgotten.”

Reporting breaches

As well as improving data protection across the business world, GDPR also made notifications more likely, as firms were legally obliged to report breaches.

It also coincided with a shift in consumer attitudes towards personal data. They were becoming more switched on to their rights. This was partly driven by GDPR, but also by events such as the Cambridge Analytica/Facebook personal data scandal.

The past two years have also seen major fines handed down for security breaches. Most notably, British Airways and Marriott Hotels were fined £183m and £99m, respectively, for failing to keep customer data secure.

This rise in notifications and fines has consequently driven an uptick in cyber claims activity over the past few years.

Mark Camillo, AIG head of EMEA cyber, said: “In the first 12 months after GDPR was introduced, claims volume almost doubled and in the last year it has risen again by around 30%.

“Companies of all sizes are erring on the side of caution and notifying the regulator of issues that may affect only one or two people. A typical example would be a bank mis-mailing statements.

“Of course, GDPR has not been the only driver of claims activity, although it is a significant one. The rise of ransomware is the other key factor. This led to a rise in the severity of claims due to significant business interruption events, and for the first time we are seeing excess layers coming into play.”

One marker of GDPR’s success is that it has spurred regulatory developments elsewhere. Policy makers around the world have started to wrap in elements of GDPR as they revamp their own rules.