How Are We Doing?.

Dominic Ralfs – Senior Consultant

After the ‘bad news’ in my last blog, let me try to cheer you up with my favourite subject: food, or rather, cooking.

Many of us will have offered to prepare somebody a special meal and then been horrified when confronted with the mountain of ingredients, the endless recipe and the complicated instructions before ringing the local bistro in panic and begging for the best table.

Looking at the requirements of General Data Protection Regulation (GDPR), you might feel a similar sense of foreboding. However, if you break it down and tackle every part of this legislation in bite size chunks before the 25th of May 2018 then, like your cooking task, it becomes a lot less daunting and much more manageable.

So what effect will GDPR have on London and other insurance markets? The answer is, not too much if it’s done in a timely, ordered and supported process.

At the beginning of June, Pro held a GDPR seminar for 30 people from interested parties. One of the conclusions drawn from the very lively discussions was that company boards in the main are supporting the implementation of GDPR, but one of our real-life statistics showed less that a quarter fully agreed that GDPR had been sufficiently communicated across their business.

Despite this, I don’t feel that the London market is lagging behind other sectors but it’s clearly not on top of GDPR as much as it could be.

Underwriters and brokers need to engage in mapping the different parts of their businesses, conducting a data inventory to ascertain the size of the challenge to fully comply with GDPR, and then prioritise the tasks ahead.

We have suggested that the key industry specific tasks within the data supply chain are, in order:

  1. board approval (including communications),
  2. establish GDPR team,
  3. prepare,
  4. implement,
  5. review,
  6. revise.

By the beginning of this month we would expect underwriters and brokers to have completed the first three tasks leaving them with implementation (July to end of December) for review, revision and embedding the principles by design and default (January 2018 onwards).

Any breaches will be monitored by the UK Information Commissioner’s Office (ICO) and, despite the best planning, its likely your company will have a data breach. But, in my opinion, if you can show the requisite policies and processes are in place and that you have done everything to adhere to GDPR, then you shouldn’t have much to worry about. The ICO is taking this seriously; indeed, according to an article in Reactions Magazine on 19th June, it has already held preliminary discussions with insurers concerning the possibility of sharing cyber security breach data.

There is also one ‘London-ism’ that everyone needs to be conscious of – who owns the data? The data controller (usually the underwriter but, in this case it’s likely to be multiple parties) must ensure their element is compliant. As data passes through the chain from broker to underwriter to reinsurer, each needs to demonstrate their adherence to GDPR.

So, keep calm, treat GDPR like a cooking recipe and, as with the applause that follows the production of a good meal, the satisfaction of a job well done will be remembered long after the washing up has been put away. Bon appétit!