The May 25th deadline is just around the corner and businesses and public institutions that work with the personal data of users are duty bound to adhere to the General Data Protection Regulation (GDPR) if they don’t want to risk incurring heavy penalties. The unintentional failure to comply with the Regulation results firstly in the issuing of a warning; thereafter, the penalties become quite substantial, up to €20 million or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
With this new Regulation, the European Commission officially brings the economy into the digital era. According to Mario Rasetti, global data science guru, more data was produced in 2017 than mankind has generated in its entire existence.
What are we talking about? We are talking about data produced at all times of day through Google searches, text messages, emails, posts on Facebook, photos published on Instagram, tweets etc.
Data which hide information on our lives, which are shared with thousands of parties even if we only have a few followers on the social media. But we also mean the data produced by the 8 billion objects now connected online which, thanks to the incredible expansion of the Internet of Things, will rise to over 20 billion in 2020.
We are experiencing a digital revolution that is opening the doors of development and internationalisation to businesses but at the same time the risk of falling prey to hackers and increasingly fearsome and sophisticated digital attacks is also growing. Cyber risks are a threat to all business sectors, including the most traditional ones. In this rapidly transforming scenario, the GDPR is designed to guarantee users an effective and standardised personal data protection system in all European Union countries.
Industry 4.0, Big Data, artificial intelligence, robotics: these are the paradigms of the new digital society where the most important assets of businesses are data and their ability to extract value from them becomes the key factor in determining their success. Data security, management and processing are increasingly key concepts in the definition of company strategies.
The processing of personal data is the cornerstone of the GDPR. Companies must adopt appropriate measures to protect the data in their systems and are obliged to report incidents of data theft within 72 hours. The other key measures include: the creation of the Data Protection Officer, in charge for monitoring compliance with the Regulation; the creation of processing activity records, on the basis of which interested parties will be informed as to how their data will be used; the data subjects can request access to processed data and exercise their right to be forgotten, thus interrupting the disclosure and processing of personal information and obtaining the cancellation of the data by revoking their consent; the right to data portability.
It is clear that the application of the regulation will have a significant impact on processes, information systems and also costs.
But how are European businesses responding?
The perception is that so far only the most well-structured organisations have already complied with the regulation while the large majority of SMEs across Europe are well behind schedule with many of which (37% according to research by WatchGuard Technologies) unclear as to the obligations of the regulation.
Complying with the regulation is not a simple process. The regulation is not prescriptive: rather than establishing what to do to be compliant it indicates certain objectives to meet in order to guarantee the protection of personal data.
It is a very flexible regulation, designed to adapt to the rapid timeframes of technological innovation, which does not have valid models for all entities.
Complying with the GDPR therefore necessitates a multidisciplinary approach, beginning with a risk analysis that shines a light on cyber security. According the most recent report by Clusit (the Italian IT Security Association), €500 billion of economic damage was caused at global level by cyber criminals in 2017.
Scary figures in a society in which digitalisation and interconnection have eliminated the barriers of space and time, making it impossible to predict the true extent of the cyber risk. There is no doubt that a data breach can undermine the economic sustainability of a business, without considering the collateral damage to its reputation. In this regard the GDPR is an excellent opportunity not only to protect personal data but also to consider how to defend strategic assets from cyber risks, the biggest threat facing us today but also tomorrow.
The insurance industry is the only sector with the expertise, the tools and the culture to evaluate cyber risks, mitigate them, manage them and help businesses in their prevention activities.
In this sense, insurance policies do not solve all the problems but they are a crucial part of an integrated process of managing and mitigating risks, which must be identified, monitored and governed over time. The demand for cyber risk coverage is increasing all over the world, evidence of the growing awareness among businesses of just how useful insurance solutions can be in containing the potential financial damage of data breaches. Although in its infancy, the cyber risk market is already able to provide coverage for the loss or disclosure of personal and sensitive data, for damage to information systems, for the interruption of services, and much more besides.