Data privacy is big news these days. And it’s about to get even bigger in the EU.
Effective May 25, any company that has a presence in the EU will likely need to comply with strict new rules protecting personal data. The cost of violating those rules – known as the General Data Protection Regulation – is terrifyingly high, in financial terms as well as reputation. Are you prepared?
The GDPR is a sweeping new regulation designed to give all EU residents control over how their own personal data is used, stored, and shared by organizations. Personal data means anything that can be used to identify an individual – name, address, IP address, social network posts, medical information, etc. – either directly or through process of elimination.
The regulations apply not just to companies operating within the EU, but to any entity that uses the personal data of EU citizens to provide goods or services – even for free – or monitor their behavior. In short, virtually every organization that does business in the EU will be affected. Even those that don’t currently operate in the EU, will want to pay attention, as the GDPR will likely elevate data privacy standards in the U.S. and around the world.
The incentive to get it right is huge. Failure to comply could result in fines up to €20 million or 4% of a violator’s global annual revenue, whichever is greater. Let that sink in a minute.
By giving consumers power over their data, the GDPR represents a seismic shift in how companies will have to operate – both inside and outside the EU. One of the biggest changes involves consent. Individuals will have to provide direct consent for a company to use their data – and explicit consent (think opt-in) for sensitive data. They also must be able to easily withdraw that consent at any time. And companies have to make it simple to do both.
The new rules also impose:
- Increased transparency to consumers about how their personal data is being used
- Stricter limits on using personal data
- Stronger controls by companies before processing personal data
- New consumer rights, including the right to be forgotten
- Mandatory data breach notification within 72 hours
This means keeping scrupulous records on what personal data is being held, where it’s being held, and what’s being done with it. Companies are going to have to reassess how they process and retain data, what their contractual arrangements are with third parties, and be accountable for it all.
Compliance won’t be easy for the majority of organizations. Complying with the short time frame for data-breach notification and the individual right to erasure are challenging in and of themselves. And there is so much more. To help ensure nothing critical is overlooked, here are eight steps that will put you on the path toward GDPR compliance:
- Document what personal data you hold, where it came from, and whom you share it with.
- Review current privacy notices and make necessary changes. Spell out why you collect personal data and the purposes for which it’s used.
- Assess how you would delete personal data or provide data electronically in a commonly used format.
- Update procedures for handling requests within the prescribed timeframe.
- Review how you seek, record, and manage consent – and revise as necessary.
- Determine whether you need a system to verify ages and obtain parental consent for any data processing activity.
- Put the right procedures in place to detect, report, and investigate a personal data breach.
- Designate a point person for all compliance-related activities.
What Are You Waiting For?
The internet, smart phones, and social media have forever changed the way we live. Companies and governmental organizations have unprecedented abilities to track individuals’ profiles, aggregate consumer data, and use algorithms to predict habits and preferences. Troves of personal data have been accumulated – and the GDPR is there to protect it from exploitation.
The lesson here is to be responsible and accountable for personal data. Time is running out.
How Marsh ClearSight is Helping Clients Prepare for the GDPR
We have conducted detailed assessments of our processes, operations, IT, and third-party relationships and have made three important enhancements to the Marsh ClearSight platform in support of the GDPR and our role as a data processor:
- User-specific login agreement. You can define your own agreement (in addition to the standard Marsh ClearSight agreement) that users must accept to login successfully – and you can determine how often that agreement pops up.
- Super delete. Claim and occurrence records, along with process transactions, can now be deleted from the system with one click.
- Anonymization. Claims incidents, occurrences, contacts, and child records can now easily be made anonymous without losing valuable historical data.
The contents of this blog post are intended solely for general informational purposes and do not create an attorney-client relationship. Any statements concerning legal matters are not to be relied upon as legal advice, for which you should consult your own professional advisors. The information shared in this post may not reflect the most current legal developments. No action should be taken in reliance on the information contained on this post, and Marsh ClearSight disclaims all liability in respect to actions taken or not taken based on any or all of the contents of this post to the fullest extent permitted by law. Marsh ClearSight makes no representation or warranty in or with respect to this information, shall have no obligation to update the information, and shall have no liability to you or any other party with regard to the information.