The General Data Protection Regulation (GDPR) – which has been touted as the most important change to data privacy regulation in 20 years – comes into force next year, altering the landscape for businesses across Europe.
And while the UK is officially headed for an exit from the European Union, the GDPR will still have an effect on British businesses – a topic that will be explored in greater depth at the upcoming Insurance Law Masterclass in London.
The GDPR is a huge piece of legislation that will require a pro-active approach to compliance from businesses, Ruth Boardman, partner at Bird & Bird specialising in international privacy and data protection, told Insurance Business.
But while the regulation brings in some significant changes, including tougher penalties, Boardman said much of it is a development, not an overhaul.
“It’s evolution rather than revolution, so about 70% – or even a bit more – will feel very familiar to people,” she said.
Want the latest insurance industry news first? Sign up for our completely free newsletter service now.
The legislation’s predecessor has been around for a long time, but in a data-driven world where almost all companies hold large amounts of data, the new regulations will have much more of an effect, Boardman explained.
One of the GDPR’s defining differences from its predecessor is the much bigger sanctions it imposes, which can be up to 4% of worldwide group turnover – a potentially big blow for a business.
The new regulation is a move from a “principles-based” system to a prescriptive one, that places a higher burden on companies to comply.
“The GDPR is somewhat different because it says you have to actually embed compliance in the organisation, and you have to be able to demonstrate the steps you are taking to achieve compliance,” Boardman explained.
“It’s not enough that you are complying, you have to be able to demonstrate the measures you’ve put in place to do that,” she said.
The regulation will also tilt the balance in favour of individuals, giving them more rights. One example is access requests, where individuals will be entitled to ask their insurance company not just for a copy of their information, but will be entitled to receive some of it in a structured, machine-readable format.
These, along with other changes to be implemented, will require a coordinated response from various parts of a business, from legal, to IT, to HR, Boardman said.
“[Companies] need a project team or a project plan. It’s a piece of legislation which touches many different parts of the business, and which requires them to cooperate to become compliant,” she added.
You can hear more from Ruth Boardman on what you need to do to prepare for the GDPR at the Insurance Law Masterclass on June 08 at The Grange City Hotel in London.
Related stories:
How is the legal landscape affecting the UK market?
Lloyd’s says cities need risk management overhaul and brokers play key role