The devil is in the data

Much has already been written about the EU General Data Protection Regulation (GDPR) and its impact on all manner of businesses. The scandals which engulfed Facebook and brought down Cambridge Analytica have focused minds on the potentially vast sums firms could be fined if they fail to manage and store information and data properly.

 

Facebook can count itself lucky that the scandal broke prior to the 25^th May deadline, from which GDRP applies. The ?1.02 million fine Facebook paid to the Spanish authorities last September for privacy law infringements looks like a bargain compared with the provisions of the GDPR; corporate entities will be faced with fines of up to ˆ20 million, or 4% of their annual global turnover – whichever is higher – for violations of the GDPR from now on.

 

Facebook itself recognises the huge potential ramifications of GDPR, as demonstrated by Mark Zuckerberg’s acknowledgment that the new data privacy laws will only apply “in spirit” outside of Europe. Considering that the continent consists of less than 20% of Facebook’s global users it will be interesting to see how non-European regulators respond.

 

All of this makes it essential that corporate entities, particularly those which store significant amounts of personal data, are ‘on the ball’ when it comes to their clients’/customers’ data. It is clearly not enough for companies to assume that their cyber security and data protection procedures are adequate: they must do more. As the recent Facebook scandal has demonstrated firms need to be aware of the real possibility of human error.

 

As such corporate entities must take potential human error into account when they consider how data is handled internally. Mistakes happen in the workplace and can be highly embarrassing - as anyone who has accidentally copied the wrong recipient into an office email chain would know. Yet GDPR has the potential to turn a split-second human error into a multi-million pound fine. 

 

There is no doubt that firms will adapt to the legislation – albeit after making mistakes along the way – and utilise internal controls and practices to reduce the possibility of human error.

 

However, all of this raises a far more important issue; how should a business complete its insurance Proposal Form to take into account the new legislation?

 

Businesses need to be meticulous when studying the fine print of their insurance contracts, especially in relation to potential liabilities under GDPR.  This is particularly so when it comes to violations not related to conventional cyber security breaches and is more idiosyncratic in nature; such as human error.

 

Insurers may seek to shift liability, and how scrupulous a business is when completing its insurance proposal form will be key in ensuring it is not faced with a mandatory drastic fine not covered by insurance.

 

Being scrupulous with insurance proposal forms is just one side of the coin however, businesses will subsequently have to demonstrate to insurers that they have robust internal risk management processes in place.  This is because, more often than not, data losses are not due to hacking or external security breaches but in fact due to human error and a lack of internal controls and processes within a business when handling sensitive data.

 

The recent media attention surrounding Facebook demonstrates the speed with which even the most prominent and allegedly “tech savvy” companies can be engulfed in data loss scandals.

For a social media giant like Facebook - which lives, breathes (and could ultimately die) through its utilisation of users’ data, to allow inadvertently for its internal data usage processes to be seen to be chaotic is a clear warning to more traditional firms – truly the devil is in the data.

 

Dileep Pisharody is a partner at Rosling King LLP, specialising in insurance and reinsurance disputes.