ThecontentofthisRegulatoryUpdateisofgeneralinterestandisnotintendedtoapplytospecificcircumstances.Itdoesnotpurporttobeacomprehensiveanalysisofallmattersrelevanttoitssubjectmatter.Thecontentshouldnot,therefore,beregardedasconstitutinglegaladviceandnotberelieduponassuch.Inrelationtoanyparticularproblemwhichtheymayhave,readersareadvisedtoseekspecificadvice.Further,thelawmayhavechangedsincefirstpublicationandthereaderiscautionedaccordingly.ContainspublicsectorinformationpublishedbyGOV.UKandlicensedundertheOpenGovernmentLicencev3.0.Design@2016Zywave,Inc.Allrightsreserved.

EUGeneralDataProtectionRegulationProvidedbyPeterLoleInsuranceBrokers

EUDataProtectionReformTheEU’snewdataprotectionreformwaspublishedon4thMay2016.Thenewrulesbecomeapplicableon25thMay2018.Becauseofhowtherulesaresetup,memberstatesarenotrequiredtoadoptlocallawstoincorporatethenewdataprotectionrequirementsintodomesticlegislation.

TheEUenactedtheserulestocreateuniformdataprotectionrulesforallmemberstates.Initsview,aunifiedsetofrulesandstandardswouldallowEUcitizensmorecontrolovertheirpersonalinformation.OrganisationsthattradeintheEU,whetherbasedthereornot,mustcomplywiththeserulesinregardstoprocessingthedataoftheirEUcustomers.

Thenewrulesupdateandreplacethecurrentdataprotectionrules,whicharebasedonthe1995DataProtectionDirectiveandthe2008FrameworkDecisionforthepoliceandcriminaljusticesector.

Dataprotectionreformtakesplacethroughtwomajorinstruments:

• TheGeneralDataProtectionRegulation(GDPR);and

• TheDataProtectionDirective.

EnforcementAcompanythatfailstocomplywiththenewrulesbytheeffectivedatemaybesubjecttoafineofupto€20million,or4percentofthecompany’sglobalannualturnover.

TheGDPRTheGDPRenablesindividualstobettercontroltheirpersonaldata,regardlessofwherethisdataissent,storedorprocessed.

TheGDPRhasfourprovisionswhichprovide:

• Individualswithmoreaccesstotheirowndata—individualswillhavemoreinformationonhowtheirdataisprocessed(thisinformationmustbeprovidedinaclearandunderstandableway);

• Arighttodataportability—bymakingiteasierforindividualstotransmittheirpersonaldatabetweenserviceproviders;

• A‘righttobeforgotten’—individualshavearighttohavetheirpersonaldataerasedifthereisnolegitimategroundforretainingthedata;and

• Individualswiththerighttoknowwhentheirinformationhasbeenhacked—bycreatinganobligationforthosewhogather,storeorprocesspersonaldatatonotifytheirrespectivenational

• Thedataprotectionrulesbecomeeffectiveon25thMay2018.

• Thenewrulesreplacethe1995and2008standardsanddirectives.

• Finesfornon-compliancecanbeupto€20millionor4percentofannualglobalturnover.

TheGDPRenablesindividualstobettercontroltheirpersonaldata,regardlessofwherethisdataissent,storedorprocessed.

supervisoryauthorityofanydatabreachesthatputthematrisk(notificationsshouldbegivenassoonaspossiblesothataffectedindividualscantakeappropriatemeasures).

ConsentandSpecificPurposeTheGDPR’s‘righttobeforgotten’istiedtotwomainconcepts—specificpurposeandconsent.

TheGDPRassumesthatwhenanindividualconsentstotheprocessingofhisorherpersonaldata,heorshedoessobecausethatdataisintendedfortheindividual’sbenefitorsomeotherspecificpurpose.

Forthisreason,individualshavearighttorequestthattheirpersonaldatabeerasedwhenprocessingthisdataisnolongerrequiredinordertomeetthespecificpurposeforwhichconsentwasgiven.

However,anindividual’srighttobeforgottenisnotabsolute.Datadoesnotneedtobeerasedifalegitimatepurposeremains.Legitimatepurposesincludefreedomofexpressionandscientificresearch.

Finally,theGDPRalsorecognisesthatacertainlevelofmaturityandunderstandingisrequiredinordertoprovideconsentforaspecificpurpose.Forthisreason,oneGDPRruleindicatesthatconsent,fortheprocessingofachild’spersonalinformation,mustbegivenbywhoeverholdsthatchild’sparentalresponsibility,untilthechildisdeemedsufficientlyoldenoughtogiveconsent.TheGDPRallowsmemberstatestosettheirownagelimitstandardbetween13and16yearsofage.

DataProtectionDirectiveTheDataProtectionDirectiveappliestothepoliceandcriminaljusticesectors.Thedirectivewasadoptedtoprotectthepersonaldataofvictims,witnessesandsuspectsinacriminalinvestigationorlawenforcementaction.

Thedirectivealsofacilitatesthesharingofinformationandcross-bordercooperationtocombatcrimeandterrorism.

ImpactonBusinessesThereformscreateamoreefficientbusinessenvironmentbycuttingredtapeandreducingthecostsmanybusinessesmustendureiftheyprocesspersonaldataacrossborders.Businessesmaybeabletocapitaliseonsimpler,clearerandmoreunifiedstandardsastheyrestoreormaintainconsumertrust.

ThereformsalsomakenewdataprotectionstandardsextraterritorialbyrequiringallbusinessestocomplywhiletheydobusinessinanEUmemberstate.ThisensuresthatallplayerswithintheEUareboundbythesamerules,regardlessofwheretheyareestablished.

Inaddition,therulesstreamlinedatasafetybycreatingonecentral,singlesupervisoryauthorityineachmemberstate.Italsopromotesarisk-basedapproachtocompliancerequirements,recognisingthatbusinessesshouldhavedifferentobligationsandoperateunderstandardsthatmoreaccuratelyrepresenttheparticularriskassociatedwiththeirdataprocessing.

Finally,thenewrulescallfordataprocessorstoimplementdataprotectionsafeguardsfromtheearlystagesofproductandservicedevelopmenttoensurethatdataprotectionbecomesthenorm—bydesignandbydefault.Thisincludesappointingadataprotectionofficer(DPO)responsiblefordataprotectioncompliance.OrganisationsmustappointaDPOiftheyareapublicauthority,theycarryoutlarge-scalesystematicmonitoringofindividuals,oriftheycarryoutlarge-scaleprocessingofspecialcategoriesofdataordatarelatingtocriminalconvictionsandoffences.

ImpactonSmallandMediumEnterprisesThenewrulesalsoleveltheplayingfieldforSMEsbyrequiringthemto:

• AppointDPOsonlywhentheSMEs’coreactivitiesrequireregularandsystematicmonitoring,oriftheyprocessspecialcategoriesofpersonaldata(forexample,datathatrevealsracialoriginorreligiousbelief);

TheGDPRwilldoawaywiththeobligationforbusinessestonotifyothernationaldataprotectionauthoritiesaboutthedatatheyareprocessing,whichcostsbusinessesabout€130millionperyear,accordingtotheEuropeanCommission.

• Keepprocessingrecordsonlyifprocessingisnotoccasionalorislikelytoputrightsandfreedomsatrisk;and

• Reportdatabreachestoindividualsonlyifthebreachesplacetheirrightsandfreedomsathighrisk.

InsituationswhereSMEsmustappointDPOs,thenewrulesdonotrequirethatofficersbefull-timeemployees.Theuseofadhocandconsultantsissufficienttosatisfythisrequirement.

ImpactonEmployersEmployersprocessalargeamountofpersonaldatafromtheiremployees.Often,processingemployeeinformationisnecessarytocomplywithemploymentlawandtoprovideadequatebenefits.

Forthisreason,employersshouldevaluatehowtheGDPRaffectstheirpersonaldataprocessingpractices,policiesandprocedures.Inparticular,employersshouldconsiderwhethertheyhaveobtainedconsentforaspecificpurposeanddelineatewhenandhowthisconsentmaylapse.

PreparingfortheGDPRAlthoughtheGDPRdoesnotcomeintoeffectuntil2018,theInformationCommissioner’sOffice(ICO)hascreatedachecklistofthingsbusinessescandorightnowtoprepareandensurecompliance:

1. Awareness:EnsurethatalldecisionmakersandkeypeopleinyourorganisationareawareoftheGDPR—theyneedtoappreciateitsimpact.

2. InformationYouHold:Documentwhatpersonaldatayouhold,whereitcamefromandwhomyoushareitwith.Also,organiseaninformationaudit.

3. CommunicationofPrivacyInformation:ReviewyourcurrentprivacynoticesandputaplaninplaceformakinganynecessaryGDPRchanges.

4. Individuals’Rights:Checkyourprocedurestoensuretheycoveralltherightsindividualshave,includinghowyouwoulddeletepersonaldataor

providedataelectronicallyandinacommonlyusedformat.

5. SubjectAccessRequests:Updateyourproceduresandplanhowyouwillhandlerequestswithinthenewtimescalesandprovideanyextrainformation.

6. LegalBasisforProcessingPersonalData:Lookatthevarioustypesofdataprocessingyoucarryout,identifyyourlegalbasisfordoingsoanddocumentit.

7. Consent:Reviewhowyouareseeking,obtainingandrecordingconsentandwhetheryouneedtomakeanychanges.

8. Children:Thinkaboutputtingsystemsinplacetoverifyindividuals’agesandtogatherparentalorguardianconsentforthedataprocessingactivity.

9. DataBreaches:Ensureyouhavetherightproceduresinplacetodetect,reportandinvestigatedatabreaches.

10. DataProtectionbyDesignandDataProtectionImpactAssessments:FamiliariseyourselfwiththeguidancetheICOhasproducedonPrivacyImpactAssessments,andworkouthowandwhentoimplementthem.

11. DataProtectionOfficers:DesignateaDPO,ifrequired,orsomeonetoberesponsiblefordataprotectioncompliance,andassesswherethisrolewillsitwithinyourorganisation’sstructureandgovernancearrangements.

12. International:Ifyourorganisationoperatesinternationally,youshoulddeterminewhichdataprotectionsupervisoryauthorityyoufallunder.

ForamoredetailedoverviewofyourresponsibilitiesundertheGDPR,consulttheICO’sguidefororganisationslocatedhere:https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr.Andformoreinformationonprotectingyourbusinessandensuringcompliance,contacttheinsuranceprofessionalsatPeterLoleInsuranceBrokerstoday.

TheGDPRwillestablishasingle,pan-Europeanlawfordataprotection,meaningthatcompanieswillonlyhavetodealwithonelaw,not28.Thenewruleswillbringbenefitsofanestimated€2.3billionperyear,accordingtotheEuropeanCommission.