GDPR Overview: Rights, Pathways, and Notices Unveiled

GDPR AN INSURANCE GUIDE SANDY GILCHRIST DIRECTOR, PRIVINESS LTD. ALEX DEAN SALES AND DEVELOPMENT MANAGER (RECRUITMENT PRACTICE), STACKHOUSE POLAND LTD. 20THOCTOBER 2017

DPA 98 Repealed previous legislation from 1984 & 1987 Eight Principles introduced Defines types of data Data Protection Rights Enforcement of Act

GDPR - THE BASICS In brief Enforceable from 25 May 2018 Report data breaches with 72 hours 11 special categories of personal data 10 Rights for data subjects Legal basis pathways Privacy by design / privacy by default European Economic Area considerations Brexit: Data Protection Bill / EU (Withdrawal) Bill New statutory post: Data Protection Officer

GDPR - THE BASICS Privacy a fundamental right natural persons should have control of their own data processing of personal data is unlawful by default impact assessments natural persons whatever their nationality or residence over paper records as well as digital

GDPR - RIGHTS . . Access Rectify Erasure Restrict Portability Notifying of recipients Objection Non-profiling Notifying of transfer Lodging a complaint

GDPR - PATHWAYS Pathways - the legal basis for each purpose: Consent Contract Legal Vital interest Public interest Legitimate interest

GDPR - NOTICES Notices must be in a: concise transparent intelligible Easily accessible form - using clear and plain language in particular for any information addressed specifically to a child

DPA 98 VS. GDPR SUBJECT DPA GDPR Fines for non compliance Maximum 500,000 Maximum 4% of global turnover or 20m, whichever is the greater It is now an organisation s responsibility to ensure compliance with GDPR Accountability None Mandatory activities None - Staff training - Internal audits on data processing activities - Internal HR reviews - Organisations monitoring or processing personal data on a large scale must have DPO - Record of steps taken to achieve compliance unless < 250 employees

DPA VS GDPR CONTD SUBJECT DPA GDPR - Mandatory activities (cont d) . Data Protection Impact Assessments (DPIAs) mandatory and must be carried out. Breaches must be notified to ICO within 72 hours if high risks present Reporting Notifications to ICO not mandatory for majority of breaches Removal of Data right to be forgotten No complete right of removal of all data held Right to total removal of all data held Consent must be given when data is collected and processed if lawful basis Consent No requirement for individuals to opt-in to data collection Scope EU and any organisation which holds data on EU citizens UK Free, within 30 days 10, within 40 days Subject Access Requests

GDPR NEXT STEPS The approach Govern get it on the agenda before it is the Board agenda Discover know how compliant you are by conducting a Readiness Review Plan have a clear set of Actions that move you towards compliance Remediate document what is required and don t forget training

INSURANCE RISK TRANSFER MECHANISM Cyber and Data Liability Management Liability Cover includes: Cover Includes Cyber Incident Response Response costs Legal and regulatory Breach management Crisis communication IT forensic costs Network Security & Privacy Liability Privacy Liability Insurable regulatory fines (this is untested!) Breach of Data Protection Laws (Entity) Notification costs (Entity) DPO automatically covered as an insured person Front end Legal Advice through provider s nominated solicitors

CYBER & DATA LIABILITY INSURABLE NON-INSURABLE Security Compliance Loss of data Cyber attack/breach Ransomware Extortion Failure to comply with processing laws (i.e. right to be forgotten) Portability Unsolicited marketing Uninsurable regulatory fines

CYBER & DATA LIABILITY Reputational damage Under GDPR you may be required to notify the ICO of a data breach/loss If the records lost pertain to personal data and are identifiable (i.e. not encrypted) you will be required to contact all effected data subjects What cost will this have on your reputation? Cyber and Data Liability includes cover for forensic investigations and crisis containment including PR experts to limit the reputational harm caused Virtual Sprinkler System will not prevent a fire but when one happens, it can prevent the business from burning down

CASE STUDY Company A Company B UK Telecoms UK Telecoms August 2015 October 2015 Website vulnerability Website vulnerability 2.4m customer records 157,000 customer records breached breached

MANAGEMENT LIABILITY PACKAGE AXA Management Liability Directors & Officers (D&O) Corporate Entity Defence (Entity) Employment Practices Liability (EPL) Any One Claim Limits up to 10,000,000 per section Extentions available Fidelity Guarantee and Full Crime available Full, unlimited access to Legal & HR Helpline, rradar

MLP COMPREHENSIVE COVER All regulatory investigations All regulatory prosecutions All regulators with UK enforcement powers Cover for the individual (D&O) and organisation (Entity) Employee Theft Regulatory Intervention Pollution Pensions Employment Disputes (including End User Extension) Cover for Data Protection and GDPR advice

RRADAR LEGAL ADVICE Unlimited, free access to rradar Legal advice given by qualified, highly regarded solicitors including GDPR specialists 24/365 crisis line Hundreds of downloadable documents including Data Protection, Employment and Human Resources, Tax, Health & Safety, Corporate Governance, Crisis Management, Debt Recovery and many more

OTHER INSURANCE/RISK MITIGATION Professional Indemnity FULL Vicarious Liability Free Contract Checking Service Employers , Public & Products Liability Material Damage & Business Interruption Access to all SPL departments including Health and Protection

WHERE TO GO FOR HELP Contacts sandy.gilchrist@priviness.eu 07990 398696 alexdean@stackhouse.co.uk 07833 301075 Disclaimer: any information communicated is based on understanding of current law and legal cases, which constantly change do be careful to seek advice in all legal matters