< Study Room | 08.03.2018

A-Z of… The General Data Protection Regulation

A-Z of… The General Data Protection Regulation

Marc Michaels explains what businesses in finance and insurance sectors can do to ensure compliance while continuing to use data effectively.

The financial and wealth management sector throughout Europe is currently experiencing a period of intense change. The new MiFID II regulation is already in place and the introduction of the General Data Protection Regulation (GDPR) is just around the corner in May.

While much has been made of the consequences of failure to comply with GDPR – particularly the sizeable fines for serious data breaches – some businesses remain unsure what its impact will be on a practical, day-to-day level.

Although companies need to ensure they are using customer and employee data lawfully, they should still be able to gain insights from it in order to influence marketing activities and business decisions.

In order to keep this balance, a good understanding of the GDPR’s aims and obligations is vital. One of its prime objectives is to improve transparency and security, protecting sensitive customer information from data breaches and potential cyberattacks.

This requires businesses to look closely at what personal data they hold and why, who can access it and how any security risks can be minimised.

GDPR requires businesses to have a ‘lawful’ reason for processing and use of data, and to communicate to customers. Consent and legitimate interest are those that most impact on marketing communications and it may be that organisations need to re-permission to gain proper consent. Having pre-ticked several years ago is simply not enough – organisations will need to gain “freely given, specific, informed and unambiguous” clear, affirmative consent.

Although the prospect of a shrinking database may cause initial concern, it should be remembered that the customers who remain are engaged and happy to receive communications, and are likely to be far more responsive to marketing campaigns, which in turn can be more relevant and delivered in an appropriate format that achieves a better return on investment.

Another fundamental element is what to do in the event of a data breach. Organisations are obliged to have a plan and process in place that enables them to contact customers immediately in the event of a violation. A serious breach, leading to the exposure of sensitive personal details, could result in a fine of up to 4% of global turnover or €20m, whichever is greater.

GDPR sets a ‘rapid response’ deadline of 72 hours from becoming aware of a breach for companies to provide a breach notification to the relevant supervisory authority. Affected clients must be notified without undue delay.

In order to fully comply, businesses must outline what measures were taken to mitigate the effects of a breach, which is likely to involve promptly notifying all or parts of the customer database. Such plans should be tried and tested so that in the event of a violation, all runs smoothly and within the legislative requirements.

With help and guidance from a communications expert, the introduction of the GDPR can present an opportunity to create a streamlined and relevant database while remaining fully compliant, as well as establishing a tried-and-tested framework that can be used whenever customers needed to be contacted urgently.

Marc Michaels is director of strategy and insight at Paragon Customer Communications.

For more information, visit: www.paragon-cc.co.uk

A – authority

B – breach

C – customers

D – data

E – Europe

F – fines

G – general

H – help

I – investment

J – obJectives

K – keep

L – lawful


N – notification

O – obligations

P – process

Q – conseQuences

R – re-permission

S – security

T – transparency

U – unambiguous

V – violation

W – wealth

X – eXpert

Y – years

Z – siZeable


Related articles

A-Z of… InsurTech

A-Z of… InsurTech

Mathew Rutter and Stephen Turner take a look at what InsurTech really means for insurers.

Catastrophe modelling

Catastrophe modelling

Catastrophe models are computer-based models used to estimate the financial cost of natural disasters such as earthquakes and hurricanes.

A-Z OF… reputational risk

A-Z OF… reputational risk

Dan Trueman, of Novae, takes an alphabetised look at reputational risk