In May, the new General Data Protection Regulation (GDPR) was issued. The GDPR strengthens rules regarding the way in which companies use data and should enable individuals to have a greater level of control over what companies do with their personal data.
The GDPR is applicable across the European Union, and as such all UK companies should currently be complying with the regulation. There have been many papers about the legal aspects of the GDPR. But few papers have covered the practical realm of how to design a risk management framework that insurance companies can use for the GDPR and data protection risk analysis.
Data protection is important to all types of businesses:
• Collecting, sorting and analysing data is unavoidable, whether it involves handling policyholder data directly or collecting personal data of a company’s employees or clients.
• There is a high price to pay for any error or breach of data, both in terms of direct remedial costs such as regulatory fines and additional staff, or ongoing reputational consequences which damage ongoing business performance.
In this paper, Milliman’s Claire Booth, Tanya Hayward and Peter Moore walk through the high-level requirements of the GDPR and also detail specific considerations on the implementation steps. They provide an overview of the new GDPR rules, discuss the aspects that firms should consider in light of these changes and explore the implications of the GDPR for a firm’s risk management framework.