GDPR: The Risks to SMEs and Those Who Insure Them
The General Data Protection Regulation (GDPR) will give private citizens back control of their personal data and will simplify the regulation of such data within the European Union. It replaces the current Data Protection Directive and is more comprehensive in many respects. But what impact will it have on small to mid-sized enterprises (SMEs) and the companies that insure them?
Overview of the General Data Protection Regulation
The GDPR was adopted on 27 April 2016 by the European Parliament, the European Council, and the European Commission, and will go into effect on 25 May 2018. The GDPR is a single regulation, replacing 28 different interpretations of the Data Protection Directive currently in place.
There is no requirement for enabling legislation by national governments, as this is a regulation and not a directive. The intent of the regulation is to unify and strengthen data protection for those within the EU and to regulate the export of personal data outside the EU.
The regulation covers residents of the EU, those who collect data from EU residents, and those who process the data of EU residents, such as cloud computing service providers. Personal data is defined as “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” There is a separate Data Protection Directive for criminal justice that covers personal data exchange amongst law enforcement agencies at the national, European, and international levels. There are also some exemptions made within the regulation for data that are used for scientific research purposes.
Increased Consumer Rights
The GDPR increases the rights consumers have concerning the way their personal data is collected, maintained, and shared. Under the regulation, consumers have the right:
- To be informed of what data is held about them
- To have access to the data being held
- To erase data being held on them (i.e., the right to be forgotten)
- To restrict or block the processing of their personal data
- To obtain and reuse their personal data
- To object to the way their personal data is being used
- Not to be subject to a decision that is based on automated processing of their personal data
Consumers Are Better Informed
Consumers are online more than ever, which means they are generating more personal data. But, they are also better informed and are beginning to pay attention to the way this data is being collected, managed, and shared.
According to the Personal Data Empowerment Report from Citizens Advice Bureau, consumers can be divided into one of five categories when it comes to how informed they are about data.
- 30% of consumers are Non-Sharers, meaning they are knowledgeable about data protection and take measures to protect their personal data.
- 22% are Sceptics, which means they are sceptical about whether the companies and government agencies that collect and use personal data can be trusted. They want measures in place that will give them simple, direct, and regular control over their data.
- 20% are Pragmatists, who take small measures to protect their privacy. They understand the consequences of having their personal data available but prefer efficient services to complete privacy.
- 19% are Value-Hunters, who understand the value of their data and the benefits of sharing it.
- 8% are Enthusiastic Sharers, meaning they are amenable to sharing their information but they are concerned about the ways in which data could be misused.
Overall, there is far more concern about the misuse of personal data than there was a few years ago. It is likely that there will be still more concern a few years from now. Consumers are knowledgeable about how and what type of data is collected, and what is done with it. They are cognizant of their rights and they are likely to act if they believe those rights are being violated.
Current Cooperation by Small Businesses
The current regulations are less onerous than the GDPR but the level of compliance with those is concerning. The data around SMEs and their familiarity with existing and upcoming requirements are sobering.
As of 2016, there were 5.5 million small businesses in the UK. 96% of these were classified as micro businesses, employing fewer than ten people. There are 400,000 businesses registered with the Information Commissioner’s Office (ICO), whose mandate is to ‘uphold information rights in the public interest.’ Therefore, 93% of UK businesses are not registered with the ICO.
GDPR requires companies that hold personal data put into place comprehensive but proportionate governance measures in order to ensure compliance with the regulation. No business, no matter how small, is exempt.
At least half of the businesses in the UK that are aware of GDPR admit to having trouble implementing it. Many are putting money aside in anticipation of the regulation taking effect. Many SMEs are simply not aware of the impending changes to privacy regulations.
Legal Firms Are Lining Up
Consumers will be the main beneficiaries of the new regulation, but legal firms may benefit greatly as well. They will likely capitalise on the inability or unwillingness of SMEs to adopt policies that align their practices with the more stringent requirements of the GDPR. Many legal firms consider that the new regulation will represent the next ‘rush’ of lawsuits regarding the handling of personally identifiable information or PII.
Legal firms are likely to target large organisations first as they will want to go where the money is. But small and mid-size firms that flout the regulation may get caught in the crossfire. Some smaller enterprises that do not understand or choose to ignore the regulation may also be easy targets for legal firms.
Profiling is one of the areas addressed by the GDPR that will be a target for litigation. Profiling, as defined in the regulation, involves automated processing of personal data, which is then used to evaluate an individual’s personal aspects. The data may be used to impute a person’s economic situation, behaviour, interests, or personal preferences.
SMEs need to understand that profiling that doesn’t result in an automated decision or includes human intervention is not covered by the GDPR. This is an area that may affect larger organisations to a greater degree. Nevertheless, all companies must abide by the regulations around profiling and all companies are subject to warnings and fine for violations.
Another area likely to generate lawsuits is that of consent. The existing regulation allows those who control data to rely on negative consent, or the failure to ‘opt out.’ The new regulation requires that individuals ‘opt in’ or clearly state they will allow their personal data to be collected, stored, or shared. Parents must provide consent for their children’s data.
It is unlikely that legal firms will see an influx of cases being brought by individual consumers who are concerned about the use of their personal data, simply because these cases are expensive and time-consuming to try and are unlikely to result in large judgements.
Fines and Penalties
The fines for failure to comply with the GDPR are steep. An organisation can be fined 4% of global annual turnover up to a maximum of €20m. Organisations that experience a breach have 72 hours to notify affected parties.
The first instance of a violation may receive only a warning but will also trigger an annual audit to assess the firm’s level of compliance. This audit may prove onerous for smaller companies and may lead to fines if violations are detected.
What GDPR Means for Commercial Insurers
Commercial insurers will need to be certain they are in compliance with GDPR in terms of their own policies around data collection, maintenance and sharing. Regardless of size, they should appoint or hire a Data Protection Office to oversee compliance. This person’s knowledge of the regulation and its import should be shared with top executives as well as underwriters, as it can help to create guidelines for mitigating risk when insuring SMEs.
Whether an insurer is currently offering cyber cover or not, the enactment of this regulation offers an opportunity to revisit this market. Insurers should review the coverage areas, pricing, and ‘packaging’ of cyber insurance to determine if it is a market they wish to enter or expand upon.
The adoption of cyber insurance has been somewhat spotty, with many companies objecting because of the perception that coverage is not adequate or comprehensive. Insurers may want to look to the GDPR to identify the key areas where coverage is warranted, adding these areas to their existing cover to produce a product that is more comprehensive.
Commercial insurers need to consider the pricing of their cyber cover in light of the level of fines that can be levied under GDPR. Pricing will need to reflect the increased risk of loss that is presented by the new regulation, but insurers will also need to be careful not to price themselves out of the SME market. As with any new product line, the pricing will need to be adjusted as loss history data becomes available.
Insurers should consider whether cyber insurance is best offered as a stand-alone product, as a rider to a commercial liability policy, or included in a commercial liability policy. There is also the option for insurers to offer coverage in more than one of these ways, giving the customer the option to choose how to purchase their cyber cover.
Risk Mitigation When Underwriting SMEs
The enactment of GDPR will change the way cyber insurance, either stand alone or as a rider to a commercial liability policy, is underwritten. There will be additional risks under the new regulation, and those risks will need to be mitigated.
New underwriting guidelines should be enacted, based on the requirements of the regulation and a company’s willingness to comply with it. Insurers may wish to refine their policy limits as well, considering the fines that may be levied against companies that violate the regulation.
Here are some ways insurers can mitigate risks:
One of the requirements of GDPR is that companies with over 250 employees have a designated Data Protection Officer. While this is not a requirement for SMEs, designating someone to be responsible for data protection, in addition to their other duties, would be a smart idea. This kind of attention to the spirit of the regulation should be looked upon favourably by underwriters.
Ignorance of the regulation is a warning sign. SMEs should be able to demonstrate understanding of the regulation and its requirements.
Since the GDPR protects consumer data as it is collected, stored and exchanged, the less data a company handles, the less of a risk they are. Insurers should consider the amount of data a company collects, how long they store it, how they exchange it, and how they dispose of it, as they make underwriting decisions.
For those companies that collect personal data for aggregation, pseudonymization is a way to mitigate risk that is specifically included in the GDPR. It is defined as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” While the pseudonymization of data alone is not sufficient to preclude a company from the constraints of the regulation, it is a way to mitigate risk. The regulation allows processors of data to have more leeway with data that has been pseudonymized.
The General Data Protection Regulation will change the way sensitive consumer data is managed, by consumers and companies. These changes will translate into changes for insurance companies as they try to protect their small and medium-sized business customers from liability even as they mitigate their own risk. By being prepared for the changes coming in 2018, insurers can protect themselves, their customers, and consumers from unauthorised use and storage of sensitive data.
