CNA Hardy’s Matt Sumpter offers an interesting perspective on GDPR:
There is no question that the forthcoming General Data Protection Regulation (GDPR) will bring with it big changes to organisations; enhancing existing data subject rights provided under the current EU Data Protection Directive as well as introducing new ones. But change is not necessarily a bad thing, and GDPR should be viewed as an opportunity rather than something to be feared.
Most organisations are already taking steps to prepare for the forthcoming legislation, however when examining the current commentary much of this preparation is seemingly focused only on the potential downsides rather than on leveraging the opportunity.
It is true that the focus on compliance around data collection and distribution that is at GDPR’s centre is being enforced by greater consequences than previously seen under the current Directive. However, the real intent of GDPR is not to generate fines but to create new behaviours around organisations approach to handling and processing personal data. In a world becoming more and more reliant on technology this should be viewed as a positive step forward.
An organisation’s ability to present evidence to regulators of its efforts to comply with GDPR will help reduce liability under Article 83 (General conditions for imposing administrative fines). Therefore it benefits an organisation to not just take measures to minimise potential consequences, but to embed an appropriate culture that embraces the principles of GDPR and enforce meaningful accompanying systems and controls.
There are six key principles governing the processing of personal data and implementing them should be a positive change for organisations. By better managing how data is used, organisations will be able to build greater trust and loyalty with their customers, which in turn should enhance their brand and the bottom line. Furthermore, this increase in trust and better management of the security of data will enable greater data sharing and better leveraging of Big Data, which will assist with product development and enhanced customer experience.
The six key principles are:
Lawfulness, fairness and transparency: the processing of personal data should follow regulation.
Purpose limitation: organisations should only collect personal data for specific, explicit and legitimate purposes.
Data minimisation: personal data should be adequate, relevant and limited to what is necessary for the purpose of processing.
Accuracy: personal data must be accurate and kept up-to-date, and corrected or deleted without delay when inaccurate.
Storage limitation: organisations must keep personal data in identifiable form only for as long as necessary to fulfil the purposes it was collected for.
Integrity and confidentiality: personal data must be secured by appropriate technical and organisational measures against unauthorised and unlawful processing, and against accidental loss, destruction or damage.
Organisations should think of GDPR in terms of the rights it grants their customers and the benefits that may flow from the trust that will build from it rather than just the potential threat it poses to them. By embracing GDPR’s principles, both organisations and customers alike have a lot to gain.
Matt Sumpter, Underwriting Director for Technology and Cyber Risks