Wray said: “The first driver of likely non-GDPR compliance is procrastination. In some cases this is a result of not recognising the scale of the GDPR programmes, which did not make the progress they needed to in 2017. My observations are further borne out by a recent survey by the law firm Paul Hastings, in which they find that only 39% of UK and 47% of US firms have an established GDPR programme.”
Other failures include:
Delusion - Many insurance carriers and brokers that have implemented GDPR programmes believe that they don’t have too much to do because they’re compliant with the EU data protection directive (the Data Protection Act in the UK). This is a false assumption for many insurance businesses as their processes and systems have all changed significantly since most firms last looked at data privacy. As a result, their GDPR programmes need to have a larger scope than was initially assumed.
Under-investment – According to the Paul Harvey survey, only 10% of UK companies have allocated a budget for GDPR compliance.
Wray says: “In my experience, the number of insurance firms allocating a budget is higher than 10%, however, these budgets are not always based on correct assumptions therefore the project teams are likely to be asking for additional investment, or changing the scope to meet the budget. This often isn’t the best approach for compliance projects.
Some (re)insurers are also falling into the trap of thinking that GDPR is a “one and done” project (this is why some firms didn’t maintain their DPD compliance as tightly as they should have). For the GDPR some firms will require a data protection officer (in some cases they may need to be a full-time position but others might look at a DPO service offered by specialist third party contractors). This means that GDPR is likely to feature on most organisations’ budgets in some form going forward.”
Wray concludes: “Having the right resources in your GDPR programme can make a massive difference, either to supplement existing internal resources or playing a larger role. Indeed, having resources with access to the right experience right now could be the difference between a successful programme and one that is still running in January 2020.”
|