How have insurance brokers adapted to the GDPR?

For the insurance industry, the General Data Protection Regulation (GDPR) looks set to have a significant long-term impact, affecting areas such as automated decision making, data retention, portability and erasure (to name just a few).

So how should insurers handle the new law? The initial GDPR readiness project is now behind you, leading to the next challenge: adapting your existing processes – and perhaps even your entire business model – to accommodate the new data law framework.

Here’s our take on how to absorb the changes as painlessly as possible, to spot the opportunities offered by the GDPR, and to stay on the right side of the regulator.

GDPR and insurance: the big picture

Spurred on by the publicity surrounding the new law, consumers are becoming more data savvy; they want to know who controls it, what it’s used for and why. Shortly after the arrival of the GDPR, data regulators across Europe reported a sharp rise in the number of public complaints. If this is a taste of things to come, it seems that from now on in, customers may be significantly more likely to take formal action if they feel their data is being misused.

Meanwhile, through a combination of comparison sites and direct online market access, it has never been easier for your customers to switch providers. Insurers who run into problems with the regulator – or who are seen as being non-responsive and untrustworthy when it comes to data are indirectly giving customers a good reason to look elsewhere for coverage.

By contrast, total transparency, user-friendly ways for customers to exercise their data rights and an ‘all-clear’ record with the data regulator can all help to bring new customers on board – and to convince existing policyholders that you are worth sticking with at renewal time.

Overall, this is perhaps the biggest change that the GDPR will bring about in the long term. Rather than viewing data law compliance as a backroom issue, it’s actually a valuable way of building up customer trust – and of strengthening your credentials as a safe pair of hands.

The rules in focus: what all insurers should be aware of

While certain existing rights and obligations have been strengthened, the GDPR also ushers in some new concepts for insurers to get to grips with. Key changes include the following:

‘New and improved’ data rights for individuals

To illustrate how these rules will have an impact day to day, we’ll use the example of a customer considering her renewal options. It’s a niche policy, and to aid in her research, she asks you for copies of the personal data you hold on her. The GDPR now requires that you supply this free of charge (the right to access).

She has sourced a new provider and requests transfer of her policy profile to a new provider (the right to data portability). Later on, she requests that you delete her records (the right to be forgotten).

The need for clear, justifiable retention rules

Storage limitation is one of the key GDPR privacy principles; the requirement to store personal data for no longer than is required. It’s not acceptable to apply retention policies to all personal data in all circumstances without any real analysis.

When rolling out new policy lines, platforms and organisational changes involving new personal data processing activities, you will need to be able to justify your retention period in each instance (e.g. with reference to specific ABI and tax requirements). New GDPR data governance obligations (in particular, mandatory privacy impact assessments) mean that you will have to demonstrate your reasoning here. You will also need to set these policies out in an easily-understood manner for customers via your privacy policies.

Profiling: handle with care

Artificial intelligence is a hot topic for incumbents and insuretechs alike. Automation has long played an important part in, for instance, enabling insurers to put together policy offers. The GDPR doesn’t put an end to this – but it does affect ‘profiling’ and ‘automatic decision making’. Profiling is taking information about individuals and using it to put those individuals into categories, often for the purpose of making predictions about their likely behaviour. Profiling is a form of processing of personal data and, as such, is allowed, as well as all the GDPR rules which apply to processing are followed such as being completely transparent about such profiling and giving individuals the right to object to it.

Automatic decision making (which may include profiling) is the ability to make decisions by technological means with no human involvement. The GDPR prohibits this unless it is completely necessary to enter into a contract (unlikely to apply in the insurance context); authorised by law (doesn’t apply to insurers); or with the explicit consent of the individual (what insurers will have to rely on if they want to make such automated decisions without any human involvement). If such automated decisions are made, insurers will still need to offer individuals the ability to request that a human review the decision.

So let’s say you are following a strategy of increased reliance on AI and automation within your business. This is still likely to be possible – just so long as you hardwire an appropriate level of human input into your processes.

What next? Areas that demand special attention

Privacy impact assessments

For the insurance sector as a whole, the importance of these assessments is hard to overestimate. For one thing, you are likely to be routinely processing some of the most sensitive information relating to individuals; precisely the type of data the new law aims to protect. And especially if you are seeking to implement ‘next generation’ automation, you need to be able to actively demonstrate that individuals’ rights are being safeguarded. Privacy impact assessments are compulsory where automated decision making is taking place.

Establishing a lawful basis for individual processing activities

This is another area that requires a combination of constant vigilance and good record keeping. If you are relying on consent, what would the implications be for your business model if that consent were to be withdrawn? Is your reliance on ‘legitimate interest’ fully backed up? One potential pitfall here includes possible over-reliance on ‘fraud prevention’ as a catch-all legitimate interest, without considering whether this can be justified.

Self service

Enabling customers to securely access their full profile, to take copies and rectify errors: all of this can make it much easier for those individuals to exercise their data rights – and it makes sense from a customer service perspective, too.

The Privacy Compliance Hub: helping you stay on top of compliance

Whether you are refreshing your online platform or reporting an attempted data breach to the regulator, compliance should never be a tick-box exercise. Telling you what you need to do, who should do it and when, the Privacy Compliance Hub provides a complete framework for GDPR compliance. To find out more, take a look at our demo – or get in contact for a chat today.

Can cyber insurance protect my organisation from the GDPR?

A business faced with new obligations is also faced with new risks. This is certainly true of the General Data Protection Regulation (GDPR), which implements new rights and responsibilities as well as a significantly higher penalty for the most serious data breaches.

Prudent businesses will always look to insurance as a means of protecting what’s important. And when it comes to data protection, ‘cyber insurance’ can be especially useful in helping you cover the costs and resources necessary to respond to a data breach effectively. Doubtless, the GDPR will cause many businesses to consider cyber insurance for the first time. We’ve also seen some evidence of insurers jumping on the GDPR bandwagon and using the arrival of the new data protection framework as a selling point for their policies.

For many organisations, cyber insurance can be a useful tool for reducing many of the data protection risks they are faced with. But it cannot cover everything, not least it currently looks highly doubtful that businesses will be able to recoup ICO fines from their insurers.

So how can insurance help you with the GDPR? This guide looks at some of the myths, benefits and limitations of insurance to help you find out.

What are your biggest GDPR risks?

The penalties linked to the GDPR have attracted plenty of commentary. But the UK’s Information Commissioner, Elizabeth Denham has been careful to dispel the suggestion that businesses are automatically going to be hit with huge fines for GDPR breaches. The ability to impose financial penalties is just one of the powers available to the ICO, suitable for serious breaches and multiple transgressions. So when considering the risks associated with GDPR non-compliance, organisations shouldn’t just focus on fines, but on a range of other possible consequences, too. These include the following:

  • Costs and resources required to respond to ICO interventions and investigations.
  • Business interruption – especially if the company is required to stop operating while an investigation is ongoing.
  • Civil claims for compensation brought by individuals whose rights and freedoms have been impacted by a GDPR breach.
  • Damage to your reputation. When an ICO issues a sanction, this information is in the public domain.

How can insurance help to reduce GDPR compliance risks?

Directly relevant to your GDPR requirements, cyber insurance can provide a useful level of protection in the following areas:

  • Event management: this includes the costs associated with specialist data recovery and restoration.
  • Systems failure: in the event of an internal system failure, outage or service interruption, insurance can help cover the costs to get back online.
  • Response service: some insurers can provide emergency access to breach response specialists – useful if you do not have this expertise in-house.
  • Breach reporting: costs associated with obtaining professional help with ICO reports and investigation responses.
    Civil claims: coverage for legal representation as well as compensation and costs for claims brought against you by individuals affected by a breach.

The limitations of insurance for managing GDPR risks

Insurance cannot shield you against all GDPR-related liabilities. Significant limitations include the following:

GDPR fines

Many policies include coverage for regulatory fines, so far as those fines are “recoverable at law”. This is where the difficulties lie. After all, fines are meant to be a deterrent, and if businesses are able to make an insurance claim to avoid paying up, this deterrent effect is lost.

Lawmakers recognise this, which is why there is a long-established “illegality defence” that prevents companies and individuals from using insurance to avoid the consequences of their illegal actions. As of yet, there hasn’t been a case before the UK courts to decide on whether a data regulator fine can be lawfully covered by insurance. But we already know from other areas of law (e.g. criminal penalties and fines issued by the Competition & Markets Authority) that fines of a “penal” nature (i.e. designed to punish the wrongdoer) are not recoverable.

As we’ve already seen, the ICO does not fine organisations for trivial reasons. Where financial penalties are considered appropriate, it tends to be in cases of blatant and serious failures, or where, despite warnings, the business in question has failed to mend its ways. In other words, in most cases an ICO fine would probably be viewed as “penal” in nature. So even if your policy appears to cover regulatory fines, just be aware that it might later be ruled as not “recoverable at law” – making this area of coverage pretty much useless.

Reputational damage

Many policies include coverage designed to address damaged reputation as a result of a data breach or other cyber incident. So let’s say your business is targeted by a malware attack. The personal data of your customers is compromised, and to make matters worse, you fail to notify the ICO and the individuals affected. Following the subsequent ICO investigation and sanction, you lose close to 20% of your customer base.

Your insurance policy might include coverage for advertising, communications and even expert public relations advice, but it won’t compensate you for lost revenue as a result of the breach.

Insurance is not an alternative to a GDPR compliance strategy

In areas such as response and recovery and getting hold of technical expertise when you need it, cyber insurance can provide a valuable layer of protection. That said, even though it might be billed as ‘GDPR-focused’, insurance can never shield you from the full consequences of a failure to safeguard data or to comply with data protection law.

Effective risk minimisation demands a framework telling you what to do, how to do it, who should do it and when – something that The Privacy Compliance Hub is designed to deliver. To discover how The Hub can help your business stay on top of the compliance risks it faces, take a look at our demo, or get in touch for a chat.

How long should I keep my employees’ data?

Under the new General Data Protection Regulation (GDPR), storage limitation is one of the most important principles that all organisations need to get to grips with. This states that personal data should be kept for “no longer than is necessary” for the purposes for which it was created or obtained. For employee data, special care should be taken when you put this storage limitation principle into practice.

For one thing, when it comes to areas such as payroll, copy health information and disciplinary records, this data tends to be sensitive in nature and, therefore, needs particular care to ensure that the rights and interests of individuals are protected.

At the same time, it is rarely appropriate to have a ‘one size fits all’ storage limitation rule covering the entire contents of an employee file. What to keep, how to store it, and for how long, depends on multiple factors, ranging from specific HMRC requirements through to protecting your business against any legal claims brought by previous employees.
This guide explains how to put together a retention policy for your employee records, helping you to protect your business, respect the rights of your employees and stay compliant with the GDPR.

Employee records: why you need a GDPR-compliant retention policy

For all types of personal data you process, your business should have a set of internal rules setting out how long data should be stored, depending on the category the data belongs to. Taken together, these rules form your personal data retention policy.

Storage limitation is one of the fundamental GDPR principles; one of the “golden rules” you need to take into account when processing the personal information of individuals, including your employees. You can read more about implementing all seven GDPR principles here.

The GDPR also includes further, more detailed requirements where the principle of storage limitation becomes directly applicable. These include the following:

Privacy by default

This becomes especially relevant when making changes to your existing processes or introducing technologies (a new online HR management portal, for instance). You need to show that you have taken measures to ensure that only data “necessary for each specific purpose of the processing” is processed. This includes keeping storage periods to a minimum.

The information you must provide to employees

Staff personal data tends to fall into three categories: data supplied to you by the employee (e.g. bank and contact details), data supplied by third parties (employer references and information from the Student Loans Company) and data created by you (training and conduct records). In all three cases, the GDPR requires that you provide employees with information on what you hold, its purpose, and how long you will hold it.

If your retention rules seem arbitrary, with no real justification behind them, you could be regarded by the data regulator as having failed in your duty to treat employees in a “fair and transparent” way.

The right to be forgotten

Our guide to erasure explains more about this important new aspect of the GDPR. In the event of requests from former employees asking you to delete the records you hold on them, a thorough retention policy enables you to respond appropriately. In particular, it stops you from inadvertently erasing data that you are obliged to hold on to (for tax purposes, for instance).

Retention periods for various categories of employee records

The periods we’ve suggested below are for broad illustration only. To formulate your own retention policy, you should also bear in mind the following:

  • HMRC rules. Statutory rules for retention of records can change from time to time, so make sure you keep a lookout for official updates.
  • Professional regulatory guidance. Your regulator may set their own retention guidelines (relating to training or professional conduct, for instance).
  • Insurer recommendations. Your employers’ liability and professional indemnity insurers may issue instructions on how long to keep the type of records relating to potential claims (e.g. linked to accidents at work).
  • PAYE and NI data – including tax code notices: three years from the end of the tax year to which they relate.
  • Statutory Maternity/Paternity/Parental Pay: three years after the end of the tax year in which the pay period ends.
  • Pension records: auto-enrolment records need to be retained for six years from the date of enrolment. Opt-out notices need to be kept for four years.
  • Records of accidents at work: at least three years from the date on which the incident occurred.
  • Records relating to exposure to hazardous substances: at least 40 years from the time of exposure. This is because damage linked to exposure sometimes takes many years to become apparent. Employees generally have three years from becoming aware of symptoms within which to take legal action.
  • Personnel data. This includes absence records, training logs, performance reviews, documentation relating to any redundancy process and records of disciplinary proceedings. Many organisations will be able to claim a legitimate interest in retaining these records for up to six years from the end of the employment period. The standard time limit for bringing most Industrial Tribunal claims is three months from the end of the employment period. However, it’s worth remembering that in theory, there is a possibility of civil claims for breach of contract for up to six years.

Further help from The Privacy Compliance Hub

The Privacy Compliance Hub offers a complete framework for staying on top of your GDPR compliance obligations. When it comes to data retention, this includes enabling you to assess, categorise and justify specific rules for data right across your organisation. To discover how it works, check out our demo or phone for a chat today.

Could human error cause a data breach under the GDPR?

The General Data Protection Regulation (GDPR) aims to create a new data environment; one where individuals have better control over what happens to their personal information and where organisations are held to account if they fail in their safeguarding obligations.

From email marketing through to cyber security, much of the advice on the GDPR focuses on the technical and process-based changes businesses need to make. But compliance isn’t something you can automate and ongoing compliance cannot be achieved unless the people within your business understand and are able to meet their data-related responsibilities.

Even with the best intentions, customer data requests can be overlooked, people can make security slip-ups and reporting obligations can be missed. Human error can mean sleepwalking towards a regulatory penalty – making this one of the most significant compliance risks faced by any business.

Here, we look at some of the common areas of data management, privacy and security that can be impacted by human error, what this means for your GDPR compliance strategy and what you can do to minimise the risk.

How your employees can jeopardise your GDPR compliance efforts

From staff inadvertently clicking on infected Web links to sending the wrong information to the wrong address, the majority of data breaches are thought to be down to human error. Even when organisations are targeted by attacks from the outside, more often than not it’s a case of the attacker taking advantage of weaknesses that could and should have been closed down. Last year’s WannaCry ransomware attack illustrated this, in which hackers exploited a weakness in Windows to cripple hundreds of thousands of computers across the globe. In fact, Microsoft had issued a patch to fix the weakness months before the attack. In the vast majority of cases, installing the patch would have insulated those endpoints from the attack.

Lack of training, a momentary lapse, procrastination – or simply having too many things to do: any of these can give rise to error. Here’s how this can hamper GDPR compliance:

Creating compliance blind spots

Examples include focusing your compliance efforts solely on customer data while overlooking other areas, such as how you safeguard your HR data. ‘Technical bias’ can also be an issue here – especially if your IT team is taking the lead on compliance. For instance, lots of attention might be paid to safeguarding digital data (e.g. through encryption and system access restrictions), but they fail to consider what to do with your filing cabinets full of legacy physical records.

Lack of training and clear responsibilities

A previous customer sends an email requesting copies of her account records. Your new customer services rep (who doesn’t know anything about the GDPR) has been told to prioritise replies to potential new customers, so this subject access request goes unanswered and un-actioned.

Meanwhile, your IT team has picked up on a data breach. This has been identified and rectified before any “risk to the rights and freedoms of data subjects” arose. The GDPR requires that the incident is logged internally. But each team member assumes that someone else has made the entry, so it isn’t dealt with.

Lack of visibility

Your customer data is scattered across multiple locations and formats. When a customer asks you to confirm what data you hold on them, you overlook some information held on a rarely-accessed database. This leads you to give a misleading and inaccurate response.

As another illustration, you receive a formal complaint from a customer who recently removed their consent for receiving marketing communications, but has just received your latest emailed newsletter. It turns out that you failed to apply the latest version of your communications suppressions list before sending out the email.

Staff exploitation

A hacker masquerading as a representative from your courier partner sends an email to your warehouse manager. Your employee responds, enclosing the names and delivery addresses for your next batch of orders.

Competing priorities

Mid-way through installing critical software updates on office desktops, your in-house technician is called away to solve another problem. This distraction causes the patching round to fall by the wayside, leaving your network vulnerable to breaches.

In itself, a data breach doesn’t automatically give rise to a GDPR penalty. But if the safeguarding measures you had in place are not deemed “adequate”, or if your action (or lack of it) negatively impacts the rights of individuals, you may find yourself having to the deal with the data regulator.

To avoid this, organisations should focus on creating the type of environment where mistakes are less likely to happen.


Areas of training to cover include the following:

  • Cybersecurity best practice. This includes password protection, avoiding fraud attempts (e.g. via spear phishing attacks) and what to do if an error has occurred.
  • Responding to data subject requests. Especially relevant to customer service staff – including those who are responsible for administering your social media feeds. Employees need the ability to spot enquiries relating to data rights, such as requests for access or erasure. Failure to action these requests swiftly (and in no later than 30 days) can give rise to penalties – so your people need to appreciate the importance of this.
  • Data governance. For privacy impact assessments, records of processing activities, internal breach logs and reporting breaches to the regulator and data subjects, ensure there are nominated persons responsible for these tasks. This avoids people mistakenly assuming that individual record keeping tasks are ‘someone else’s job’.

Automation and monitoring

Certain tools are designed to remove the possibility of human error. For instance, on the security front, specialist management tools can help keep you in better control of your encryption keys, making it less likely that encrypted data is erroneously ‘unlocked’ by cyber criminals.

As a rule, reliance on manual input increases the scope for human error. Suppressions lists are a good example: when a customer removes their consent to receive communications and you need to update your records, it is far more reliable if your list is updated automatically, rather than relying on an employee to update an excel spreadsheet.

As part of their wider cybersecurity strategy, businesses should also consider ‘early warning’ solutions that can notify you that a breach may have occurred. Security information and event management (SIEM) tools are designed to identify unusual and potentially harmful actions (an attempted login from a previously unseen device, for instance). So even if an employee has made a mistake, you can address it swiftly.

The Privacy Compliance Hub

Human error is a fact of life – and the risks associated with it cannot be eliminated completely. That said, through proper training, you can help to build the type of compliance-focused culture where mistakes are less likely.
The right support is also crucial, and this is precisely what The Privacy Compliance Hub is designed to provide, telling you what to do, how to do it, who should do it and when. To discover how it works, take a look at our demo, or contact The Privacy Compliance Hub for a chat today.

Building a GDPR compliant culture in your business

Let’s bust some GDPR myths. First, compliance with the GDPR is not a box-ticking exercise. Second, it is not a job that you simply hand over to someone else to do. Third, compliance with the GDPR is not solved with templates, checklists or technology (although they do help).

The run-up to the implementation of the GDPR on 25 May 2018 was hectic. Some organisations panicked and, perhaps, bought a technological solution that they thought would do compliance for them, or hired a consultant with the same objective. Other organisations buried their heads in the sand, crossed their fingers and hoped it would all go away. US organisations wondered why on earth this European law applied to them (if you want to know why it does, see our article on the topic).

Since 25 May 2018, many organisations have sat back and relaxed, either because they think that their work is done, or because having done nothing, the regulator is still not knocking on their door. However, as the recent Ticketmaster data breach shows, organisations have to be constantly vigilant.

What is GDPR compliance?

GDPR compliance is not something with a project end date. It is ongoing. Having the right policies in place, carrying out a data inventory and securing personal data are all fundamental to GDPR compliance, but none of these will stop a data breach occurring. None of these will prevent the bad publicity and fines associated with such a breach. And those risks are relevant as much to US organisations as European organisations (see our article on what US organisations should do in the event of a data breach).

People talk about GDPR compliance being ‘a journey not a destination’. What exactly do they mean by this? Well, those policies that you had drafted need updating. That data inventory that you carried out needs to be kept up to date as you collect more personal data from different sources, share it with different people and process it in different ways. As cybercriminals become more sophisticated or discover new weaknesses, you need to change the way that you keep personal data secure, to keep up to date with evolving industry standards.

It is this never ending compliance journey which keeps an organisation on the right side of the law. But how do you deal with the potential weakness which is your staff? At a conference we recently spoke at in New York, a delegate asked, “What can an organisation do to prevent a data breach?”. The answer from the IT security consultant being asked the question was, “Sack all your staff”. The point he was making was that potentially the weakest point in any organisation as far as personal data are concerned is the individuals that work with it.

You need to turn that potential weakness into a strength. You should build and embed a culture of compliance within your organisation so that the individuals that work within your organisation are all contributing to compliance – they are your first line of defence and they make sure that you do compliance properly.

Why does having a GDPR compliant culture matter?

GDPR compliance is not something that you hand over to someone else to do and it is not something that any one person can do. It can only be achieved if you have a cross departmental team responsible for building and maintaining GDPR compliance and an educated workforce which understands what GDPR compliance is, why they should care and what they should look out for.

The risk of not having a compliant culture is that people don’t understand and don’t care. If your staff only associate the GDPR with annoying emails talking about marketing preferences and cookies then they are not going to spot that phishing email. They will share passwords. They will put documents on unencrypted personal laptops. They will share personal data with third parties without checking first that such third parties will protect that personal data (the recent Ticketmaster breach was caused by a third party processor being attacked rather than Ticketmaster itself).

How to create a GDPR compliant culture

You need to make data protection interesting. Easier said than done we know, but this is the key. Make everyone understand that data protection is more than computer hackers and annoying emails. Connect data protection in your staff’s personal lives with their professional lives. If they understand that it is important for Tinder to keep their online dating profile secure, they are more likely to understand that they should keep their customers’ personal data secure.

The Privacy Compliance Hub contains posters which can be put up around the office to reinforce messages in a user-friendly way. One of our clients had t-shirts printed with key points on them. We provide engaging videos which encourage staff to listen rather than ignore important messages.

The importance of training your staff

By far the most important way that you can make compliance interesting and create that compliant culture is by training your staff. The Privacy Compliance Hub provides different forms of training for organisations to use to train their staff, including video training delivered directly to individuals by the Hub itself, wherever those individuals are located. This is particularly important if staff work from home, on-site, or at a number of different offices.

If all your staff understand the basics of data protection, mistakes with personal data are much less likely to happen. Training should be refreshed periodically so that messages are not forgotten. Ideally, certain staff should be trained in areas of data protection specific to their role. For example, marketing staff should be fully aware of how to send marketing emails within the law (see our article here).

A shortcut to building a GDPR compliant culture?

Everyone wants a shortcut. The Privacy Compliance Hub makes things simpler and easier, helping you build the culture of compliance that you need. It doesn’t do the job for you, but it does help you get started, stay on track and stay on your GDPR compliance journey. To find out how The Privacy Compliance Hub can help you, completed the form below to see a demo or get in touch for a chat.

US Privacy Shield and the GDPR: what has changed?

The General Data Protection Regulation (GDPR) is designed to ensure that the personal data of EU citizens is safeguarded – no matter where in the world it is processed. With this in mind, the GDPR generally prohibits the transfer of personal data outside the EEA, apart from to those countries deemed to have adequate data protection laws in place.

Only very few countries are deemed to have “adequate” data protection laws and currently the United States is not included on that list. This is where the Privacy Shield comes in – an agreement between the EU and the US that sets out certain minimum standards in relation to data processing.

On a practical level, US companies that participate in the Privacy Shield framework and comply with its requirements are able to show that their data protection procedures are robust enough to do business in the EU. As such, signing up to (and complying with) this voluntary scheme can be a useful gateway towards achieving GDPR compliance.

That said, the GDPR brings into force a wide range of requirements on businesses, many of which go over and above the basic protection principles set out under the Privacy Shield. Signing up to the Privacy Shield is not an automatic passport to full GDPR compliance for US companies.

Here, we’ll take a closer look at how the GDPR and The Privacy Shield work together and at what you need to do to ensure full compliance with EU privacy law.

The Privacy Shield – what is it for and how does it work?

From small retailers through to huge social media platforms, EU lawmakers know that its citizens want to do business with organisations located across the globe (including the US). Unless those companies have a substantial physical presence in Europe (an order processing centre, for instance), providing a service will almost always involve transferring personal data outside the EU.

At the same time, lawmakers want to ensure that individuals get basically the same level of protection regardless of where their personal data is processed and that they have enforceable rights if an organisation breaches its responsibilities. As such, and much like the Data Protection Directive that was previously in force, the GDPR stipulates that personal data may only be transferred out of the EEA if certain conditions are met.

There are alternatives to The Privacy Shield for non-EU organisations which may be important for US organisations that aren’t eligible to participate in The Privacy Shield:

  • Binding Corporate Rules (BCR) – especially relevant to large companies with a number of subsidiaries, the use of BCR involves drawing up a very detailed code of conduct detailing how personal data are going to be processed within an organisation. To be valid, BCR have to be pre-approved by a European data regulator (e.g. the ICO in the UK or CNIL in France).
  • ‘Model clauses’ – these are available to some non-EU organisations where that organisation is either a controller or processor receiving personal data from an EU controller. The clauses are in a specified format which can’t be negotiated. They are not available where the non EU organisation is a controller receiving the personal data directly from the data subject themselves.

Model clauses are convenient but do not provide the same badge of trust as The Privacy Shield. BCR are expensive and cumbersome compared to The Privacy Shield framework which offers US companies a more convenient and less “admin-heavy” method of transferring personal data out of the EU in a lawful manner. Here are some of its key features:

  • It is a voluntary arrangement and to make use of it, organisations need to sign up via the US Department of Commerce. You can read more about the process, including full eligibility details, in this official guide.
  • To participate in the scheme, organisations must put in place “robust mechanisms” to ensure that the principles set out under the Privacy Shield are adhered to. These principles cover information to be provided to data subjects, data minimisation, preventing unlawful use, security, safe transfer, the right to access and the right to complain.
  • There is a sliding-scale range of fees for participation (these are determined by the size of the company).
  • A Privacy Shield sign-up needs to be renewed annually to remain valid. While an organisation is registered, its name appears on the Department of Commerce list of Privacy Shield participants. In itself, this can be a reassuring sign to other organisations that an organisation is a safe pair of hands when it comes to personal data.
  • Once a valid Privacy Shield certification in place, an organisation may transfer and process the personal data of EU citizens without the need for pre-approval from an EU regulator.

The foundational Privacy Shield principles align broadly with the seven core GDPR principles (you can read more about these here). But at the same time, you need to keep on top of those key GDPR requirements that fall outside the scope of The Privacy Shield.

These additional areas include the following:

Data access, erasure and portability

Privacy Shield participants are required to grant data subjects access to their personal data on request and to do so within a “reasonable” timeframe. The GDPR is more detailed in its requirements in this area, stipulating that requests generally ought to be dealt with within “no later than 30 days” of receipt of the request.

The GDPR also establishes new rights to erasure and portability that are not explicitly covered under The Privacy Shield. These establish the fact that if certain conditions are met, data subjects may request that personal data be deleted or transferred directly to the data subject or a third party. US organisations need to ensure they have procedures in place to assess the legitimacy of and facilitate such requests.

Ensuring data security and privacy

Mirroring the language of the GDPR, The Privacy Shield stipulates that companies must secure data against loss, misuse, unauthorised access, disclosure, alteration or destruction, taking into account the nature of the personal data and the risks faced.

The GDPR is more descriptive, stipulating that the twin principles of Privacy by Default and Design are applied to any new data processing activity you introduce. Linked to this is the need to carry out Privacy Impact Assessments for new activities, whereby privacy issues are identified at the design stage and suitable safeguarding measures are adopted – right from the outset. All of this has to be documented.


If you adhere to the Privacy Shield obligations concerning data subjects’ ‘right to be informed’, it should help you stay on top of your GDPR obligations concerning lawfulness, fairness transparency. But especially when it comes to privacy notices, you should look carefully at what the GDPR specifies ought to be included.

And if you are relying on the basis of data subject consent for processing activities, make sure you understand and implement the procedures required under the GDPR for securing this consent (i.e. it should be freely given, easily understood and capable of being withdrawn easily).

General data governance obligations

Most US companies that do not have a physical presence in the EU will need to nominate an EU representative – and this includes those companies that sign up to The Privacy Shield. The representative is essentially your company’s go-between for dealing with supervisory authorities. Our guide for US companies provides further information on this.

What next?

Recently, members of The European Parliament have questioned the effectiveness of The Privacy Shield, amid suggestions that US authorities are failing to police it adequately. Its provisions are subject to annual review by the European Commission and US Department of Commerce, so businesses shouldn’t be surprised if a new version arrives in the near future.

This speculation surrounding The Privacy Shield also highlights the fact that compliance isn’t a ‘one-off’ event; businesses need to be constantly vigilant of changes to the law to ensure they stay on top of their obligations.

For many US companies, applying for Privacy Shield certification is a useful first step in achieving compliance. Beyond this, The Privacy Compliance Hub offers a complete framework for meeting your obligations under EU data protection law. To see how it can help your business, take a look at our demo, or get in contact for a chat today.

How to ensure your email marketing is GDPR compliant

There is a lot of information about how to send email marketing and stay within the law. Some of it is correct, some of it is wrong and some of it is simply confusing. Organisations seeking a simple answer to a simple question are frustrated. Unfortunately, neither the legislators nor the regulators have been particularly helpful with their sending out of numerous guidelines and having the law in different places. This resulted in the deluge of emails we all received in our inboxes in the days running up to the implementation of the General Data Protection Regulation (GDPR).

This frustration has had a significant impact on marketing departments within organisations as they don’t know what to do, or what risks they are taking.

In this article, we will give you the simple answer to the simple question – “How do companies send out marketing emails and stay within the law?” First, we will explain what has changed and how the confusion has arisen.

Before 25 May 2018 – the Data Protection Act and PECR

Prior to 25 May 2018, marketing emails were governed by the Data Protection Directive (enacted by the Data Protection Act 1998 in the UK (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR). The latter deals with matters such as sending marketing by email, text, post and telephone.

That is a lot of law to read when all you want to do is send a marketing email!

PECR states that you must have consent to send marketing by email and what constituted valid consent was set out in the DPA. To confuse matters, PECR says that you don’t need consent if certain circumstances contained in PECR are satisfied, allowing you to send email marketing using what is called a ‘soft opt-in’.

Put simply, ‘soft opt-in’ means that even though an organisation has not got true ‘opt-in’ consent from an individual to send email marketing, it could still do so if:

  • the individual was a previous customer;
  • the email relates to similar products/services;
  • the individual was given the opportunity to ‘opt-out’ at the time the organisation collected the individual’s personal information; and
  • the individual is given the opportunity to ‘unsubscribe’ each time he or she is subsequently sent a marketing email.

The DPA has now been replaced by the GDPR, but PECR is still around.

Still with us? Got those acronyms in your head? Well done. Let’s keep going.

After 25 May 2018 – the GDPR and PECR

Sending a marketing email constitutes the processing of personal data. To process personal data you need a ‘lawful basis’. There are two lawful bases available for marketing: ‘consent’ and ‘legitimate interests’. However, ‘legitimate interest’ does not work for marketing emails because PECR makes it clear that you need consent to send marketing emails (unless you qualify under the ‘soft opt-in’ under PECR). If you need consent (because you don’t qualify under the ‘soft opt-in’ under PECR), that consent needs to be of the quality required under the GDPR. It is the quality of consent that has changed in the GDPR compared to the quality of consent required under the DPA.

That GDPR requires that the consent to send marketing emails has to be freely given, specific, informed, unambiguous and provided by some form of clear affirmative action.

In other words, unless you can rely on the ‘soft opt-in’ under PECR, you need specific opt-in consent to receive email marketing which is given by some positive action such as ticking a box.

Still with us? We are getting close to the practical conclusion you are looking for.

How you stay within the law

This is what you should do before sending a marketing email.

First, establish what rights (if any) you have got to send marketing emails to your current marketing database. Did you get opt-in consent? Did you give individuals the right to opt-out? Was there an unsubscribe link in every email you sent them?

  • If you got consent, was it of the quality required under GDPR? If not, you need to get such GDPR quality consent before sending your marketing email ie. send an email requesting such specific, opt-in consent.
  • If you got consent for some and not for others and you can’t easily identify which are which, you should probably get GDPR quality consent before sending your marketing email ie. send an email requesting such specific, opt-in consent.
  • If you think that you are able to rely on the ‘soft opt-in’ in respect of your existing database then you have a choice to make. Either:

(a) you decide that you want GDPR quality consent from every individual so that the quality of your marketing database moving forward is high ie. send an email requesting such specific, opt-in consent; or
(b) you decide to continue to rely on ‘soft opt-in’ for all individuals (past and future) on your marketing database ie. carry on as you always have; or
(c) you draw a line on a certain date and create two marketing databases – the past database relying on ‘soft opt-in’ and a future database relying on GDPR quality consent ie. you get GDPR quality consent from new customers moving forward.

Second, make sure that your privacy policy makes it clear to individuals how you use their personal data for marketing and how they can choose not to receive such marketing.

Finally, you also need the right processes in place to ensure that any individuals who want removing from your databases get removed.

But, watch this space

Unfortunately, there is more law on the way. The new ePrivacy Regulation was meant to come into force at the same time as the GDPR and replace PECR. This still hasn’t happened and that is why we have the current confusion.

Because of the uncertainty of what is going to happen to the ‘soft opt-in’ under the ePrivacy Regulation, we are advising all our clients of The Privacy Compliance Hub not to rely simply on ‘soft opt-in’ under (b) above and, instead make a choice between options (a) and (c).

Consequences of getting it wrong

There are rather extreme possible consequences of not staying within the law when sending your marketing emails. See our article on penalties under the GDPR here. We think that the regulator is likely to take an industry approach to enforcement. If it thinks that a particular industry is acting badly then it will target that industry.

We have also found that our ‘B2C’ clients have most to worry about from getting this wrong. Individuals are trolling for companies who are not sending marketing emails correctly. They are making claims in court, threatening to report the company to the regulator and, sometimes, following through on that threat unless they can settle the matter for a suitable sum. This is the sort of aggravation that companies really can do without!

The Privacy Compliance Hub

The Privacy Compliance Hub contains all organisations need to comply with the GDPR without resorting to expensive lawyers or consultants. Feel free to request a demo by filling in the form below, or simply get in touch for a chat.

The impact of the GDPR on internet privacy laws

The EU’s General Data Protection Regulation is already making its presence felt on websites, social media platforms and online marketing campaigns – not just in Europe, but right across the globe.

The new law strengthens the data rights of EU residents. Linked to this, there are new obligations on the organisations that control and process this data. No matter where you are based, the GDPR requires you to follow the rulebook.

While some of these new rules complement existing laws in various countries, many of the new requirements (e.g. mandatory breach reporting and various internal record-keeping procedures) will be unfamiliar to many businesses.
GDPR compliance affects your website and all internet platforms. It has implications for user experience, content, tone-of-voice, marketing, analytics, back-end security and in fact, virtually all online activities. Here’s a rundown of how the new legal framework is likely to shape these activities and how it co-exists with other internet related privacy laws.

How global websites are reacting to GDPR

The new law is designed to protect the data-related “rights and freedoms of individuals” in what is now a global online marketplace. Here’s the upshot: if you want to do business in Europe, you have to follow the rules and failure to do so can result in sanctions, including the possibility of hefty fines and, (for non-EU businesses), possible curtailment of your EU web operations.

Two contrasting examples highlight how global businesses have reacted to this:

The self-imposed European exile

Currently, if you try to access the LA Times website from the EU, a message tells you that it’s blocked while the organisation works on “technical compliance solutions” suitable for its EU market. A handful of other organisations have followed suit. If the European market represents only a small portion of your business, a cost/benefit analysis might conclude that making the changes necessary to get in line with the GDPR isn’t worth it.

That said, for the majority of businesses, market expansion is a top priority. “Going nuclear” and cutting yourself off from the world’s biggest and richest trading block is one option. Absorbing the changes you need to make and implementing them is likely to be a far more attractive way forward.

The roll-out of GDPR provisions for ALL your online customers

As India’s Economic Times highlighted, the arrival of the GDPR meant that many individuals in that country received a flurry of emails from Indian businesses, asking them to renew their consent to receive marketing communications.
Strictly speaking, there was no legal reason for this (GDPR only seeks to protect EU residents). However, organisations doing business in the EU needed to change their procedures to take into account the new law. And rather than limit these changes to their EU customer base, many have applied them across the board.

From a practical, administrative point of view, it’s likely to make far more sense to make sure that ALL your online customers feel the benefits of your GDPR changes. For example, not levying a charge for subject access requests and making it possible to transfer data from one controller to another make sense for a consumer centric organisation.

Through this approach, whether you are based in San Diego, Sydney or Strasbourg, your online customers are getting the same transparent appearance, along with reassurances that you are following data safeguarding best practice. Malware attacks and the likes of the Facebook data mining scandal make headlines across the globe; so as consumers become more ‘privacy savvy’, this approach could give you a valuable competitive edge.

Consent and online marketing: how to juggle GDPR and PECR

GDPR requires that you assess and establish a lawful basis for each personal data processing activity. For most online marketing initiatives (e.g. e-newsletters and email campaigns), ‘consent’ will be the appropriate legal basis to rely on for most businesses.

Meanwhile, a pre-existing piece of legislation, the Privacy and Electronic Communications Regulations (PECR) gives specific rules concerning marketing emails, text messages and telemarketing calls. A decision on how to use such marketing channels and stay within the law requires an analysis of both pieces of legislation.

To help you get to grips with this, our guides to marketing and b2b communications provide useful reading. The Privacy Compliance Hub provides even more practical guidance to its customers in what is a complicated area.

Check for regional privacy law variations

For the most part, the GDPR sets out a single data privacy framework, with the same rules applicable to individuals right across the EU. That said, there are a few areas where EU Member States have the discretion to set their own rules and procedures.

One such area relates to the minimum age at which children are deemed capable of giving consent to having their data processed. The majority of EU countries set this at age 13, although some (e.g. The Netherlands and Spain) have higher age limits in place. You should look at this especially closely if your online offering is geared towards younger users.
Healthcare and other types of sensitive data are most likely to be subject to regional variations. Health providers with an online presence both in the EU and US should also check out our guide to GDPR and HIPAA.

Juggling data minimisation principles with data retention requirements

From customer service chat facilities, through social media to GPS and behavioural information, companies with an online presence can very quickly build up vast quantities of personal data. The GDPR demands that you only collect what’s necessary for legitimate processing purposes and that you retain it only for as long as it is needed for those purposes.

Alongside this, the GDPR enhances the ability for individuals to request that their data be erased or transferred to other parties under certain circumstances.

If you operate in a highly regulated sector, you may also need to factor in specific rules that dictate record keeping. The Markets in Financial Instruments Directive (MiFID) is a good example of this. Applicable to firms engaged in investment activities, it demands that you retain a wide range of data and information, including marketing communications, details of complaints and transactions and transaction records.

If you operate under detailed data retention rules, you need a system for classifying different types of data as they are collected or created. In this way, you can identify what you need to keep (and for how long) – and what personal data can be earmarked for shorter retention periods. This approach makes you better able to balance customer privacy with your other legal obligations – and should also make it easier to respond to erasure/transfer requests with less hassle.
Your approach and its implementation must be documented and recorded which is made easy by using a comprehensive compliance solution such as The Privacy Compliance Hub.

Next steps

If you are interested in taking a look at a complete online compliance programme which enables organisations to stay on top of the GDPR and other EU-wide privacy legislation, request a demo to see how The Privacy Compliance Hub works – or call for a chat today.

American companies and the GDPR : how to deal with data breaches

Many US organisations already operate under a host of Federal and State obligations concerning what to do in the event of a data security breach. On top of these, if you process the personal data of European residents (even if you don’t have a physical presence in the EU), the arrival of The General Data Protection Regulation (GDPR) brings with it an additional set of rules to follow.

Brought into force on 25 May 2018, the GDPR was designed to create a safer data environment for individuals; one that’s fit-for-purpose within the new global data marketplace. As well as giving individuals (e.g. customers and employees) a greater say in what happens to their personal data, it places new obligations on the organisations that control and process that data. Mandatory breach reporting and new data governance requirements are a significant part of this.

Here, we explain what GDPR demands of companies on the data security front – and outline the “who, what, where and when” of breach reporting for US-based companies.

Data security: what are my GDPR obligations?

If you control or process personal data, you are under a duty to implement “appropriate technical and organisational measures” to address the specific security risks you are faced with. In a phrase that features heavily throughout the new law, the GDPR demands that you have particular regard to the “rights and freedoms of individuals” when assessing this. So in simple terms, the more sensitive the data (bank details and health information, for instance), the greater the potential impact on individuals and, therefore, the greater the need for robust protective measures.

Pseudonymisation, encryption, data restoration and regular systems testing are all cited as measures that may form part of your security risk reduction measures. You can take a closer look at what’s expected of companies in our guide, Data protection breaches : best practice under GDPR.

If your US organisation has accreditation to show that you follow security management best practice, this can be valuable in helping to demonstrate that the measures you have in place are appropriate. However, as our guide to ISO 27001 explains, obtaining certification shouldn’t be seen as a shortcut to full compliance.

Under what circumstances should you report a breach?

For a start, GDPR is concerned with personal data. So if a breach is isolated to business data (e.g. a targeted instance of IP or internal accounts theft) – or, for instance, if you can be sure that the breach has affected only your domestic operation and not your EU customer database, this falls outside the GDPR scope.

A breach is described as an event leading to the “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data, transmitted, stored or otherwise processed.” Helpfully, the GDPR Working Party has classified potential personal data breaches according to three internationally-recognised categories:

  • Confidentiality breaches: where data falls into the wrong hands.
  • Availability breaches: where there is a loss of access to – or destruction of data.
  • Integrity breaches: where data is corrupted or otherwise altered.

Personal data breaches must be notified to the relevant supervisory authority unless the breach is “unlikely to give rise to a risk to the rights and freedoms of natural persons”.

As an example, a US company’s worldwide customer database is hit by a malware attack. The network intrusion was isolated and a backup procedure was instigated. However, there is a strong possibility that personal data – including financial information, was accessed by the attacker. In these circumstances, notification would be necessary.

By contrast, an employee loses a laptop containing customer data. Robust encryption procedures mean that access to that data is not possible. The company concludes that there is no likely risk to the rights and freedoms of individuals and is, therefore, not obliged to report the breach to the relevant supervisory authority.

Does the number of persons affected matter under the GDPR?

With HIPAA, for instance, breaches are only generally reportable if the records of 500 or more individuals are affected. Under the GDPR, there is no such minimum cut-off. Depending on the circumstances, if there’s a risk to the rights and freedoms of just one or a handful of persons, the breach may still be reportable.

Time limits for reporting a security breach to the supervisory authority

Similar to the NYFDS cybersecurity regulation, data controllers must notify the supervisory authority of the breach without undue delay – and no later than 72 hours of becoming aware of the breach.

Information to be provided to the supervisory authority

Your designated supervisory authority (e.g. the ICO in the UK or CNIL for France) will have a facility for reporting security breaches, accessible through the relevant authority’s Website. You will be asked to provide information on the nature of the breach, the category and the approximate number of persons affected, and the likely consequences. You will also be asked to describe the measures you have taken – or propose to take – to mitigate the effects of the breach.

Who is your supervisory authority?

Many US businesses will have customers scattered across the EU, along with a physical presence in multiple member states. Here, the GDPR’s ‘one-stop-shop’ mechanism applies. It requires multinational organisations to identify their EU ‘main establishment’ (i.e. where the bulk of the company’s European operations are administered). The supervisory authority will be the data regulator for the country in which that main establishment is situated.

If your business has a European customer base but does not currently have a physical presence in the EU, it may be necessary to appoint an official representative. You can read more about this in our general GDPR guide for US businesses. In these circumstances, your relevant supervisory authority will be the data regulator for the country in which your representative is based.

Notifying data subjects

Where there is a high risk to the rights and freedoms of individuals, you are also required to inform the individuals affected by the breach. In practice, in the majority of cases where breaches are reportable to the data regulator, subject notification will also be required.

You need to explain to the persons concerned in clear language what has happened, its consequences, what you are doing about it and the steps the individuals should take to protect themselves (e.g. notifying their bank, changing their passwords or flagging up suspicious communications).

Internal records

The GDPR requires you to keep an internal log of personal data security breaches, setting out what happened, its effects and remedial action taken. Note that this applies to all breaches – even if there was no impact on the rights and freedoms of individuals.

Next steps

  • Where the need to appoint an EU representative applies, choose wisely. If you are hit with a reportable breach, you only have a limited period to carry out your initial investigation and report it. Your representative is the liaison between you and the regulator – and needs to be completely familiar with the reporting procedure in the relevant country to avoid you straying towards non-compliance.
  • Get to grips with your governance requirements. From privacy impact assessments through to breach logging, the regulator, through any investigation, will need to be satisfied that your entire approach to data security is “appropriate”. Good governance goes a long way in establishing this.

Failing to have adequate security measures in place or to respond to breaches in the right way can both lead to sanctions and a hefty reputational blow to your global brand.

The Privacy Compliance Hub provides a complete solution for keeping on top of your compliance obligations. Take a look at our demo to discover more – or contact us for a chat today.