The pain of GDPR compliance and the long term effects

 

GDPR has no exemptions that organisations I work with can rely on, perhaps for the first time with data, we are all in it together.

The challenges facing organisations trying to comply are magnified by the amount of “fake news” surrounding it. I haven’t been surprised by the feeding frenzy from those trying to cash in yet I am somewhat alarmed by the number of “experts” on this untried legislation. I understood that it took 10,000 hours to become an expert in something and I’m wondering how the experts managed that. C’est la vie.

What truly concerns me is that this is a massive cultural change and I fear that the policies being written and disseminated are not going to empower the people that need to deal with data on a daily basis. During my 29 years in the field of risk, insurance and business continuity I have seen many issues that could have been avoided by educating people. Yet it seems that policies are written to ensure employment or contracts can be terminated rather than actually encouraging people to comply. I realise that this is partly due to legal precedent yet motivating people by fear is far weaker than motivating them by other means.

Having listened to many people and taking in copious amounts of information, I think that the feeding frenzy has prevented people from understanding the “mission” of the data regulators. They want organisations to be careful with data and respect the wishes and privacy of people like you and I.  It is not a lot to ask yet achieving that aim is undoubtedly awkward. It is a lot less awkward if the culture of an organisation recognises this.

I have this awful nagging doubt that people will not be motivated to do the right data thing if they are told off or, disciplined when they make mistakes. I’ve seen many policies that tell people what to do yet they are rarely allied with the cultural piece. Even rarer is the right level of education and reinforcement that motivates.

The deadline will come and go yet the mission of the regulator is not going to be achieved if the culture of blame continues to be the most pervasive in organisations. One issue that no-one seems to have thought about is the way salespeople treat data. Arguments over who owns it are regular, especially with the advance of online networks. Roughly 50% of people take data with them when they leave one organisation for another. There are at least two companies in breach when this happens and the individual has broken the law. It is theft after all.

The existing regulations state that this shouldn’t happen yet half of the population think it’s OK to take it when they really know that they shouldn’t. It could be argued that the policies that discipline people have worked because they have stopped the other half from doing this. Yet half is not enough. It should be a single digit number, at the very worst.

So policies and procedures are not working now. New ones will not change that if they don’t address the cultural side of human behaviour.

What can be done?

A new type of policy is required. Naturally, it should start at the top of an organisation. It should motivate people to change the way they think about data. It should be readable, not shrouded in jargon. It should reward people for doing the right thing. It should be something that everyone is reminded about. But not “beaten up” over.

 

Jason Cobine is an Insurance broker in London who works with businesses and charities. He has built a business from scratch, without pilfering data so he knows how hard it is. Yet it was a cultural decision that has been proved to be correct.

 

The GDPR is coming. Time to sit down, relax and take stock

This article is about the feeding frenzy taking place, how to avoid it and what to look out for in the run up to GDPR lift off.

 

Welcome back, or if you’re new here sign up to our orange RSS button to the top right of this page to receive insurance tips, new posts, plus details of events and promotions that could help you or your network reduce the risks facing their organisation.

 

The vultures have been circling for some time now.

 

Plenty of people are putting the frighteners on good people that just want to survive the supposed relentlessness of heavily armed Data Commissioners issuing fines aplenty. Which will not actually happen. The ICO simply haven’t got enough resources to do that. Much like other agencies that are not for profit.

 

Speaking of which, it is those that are for profit that we need to be wary of. I’ve received several updated contracts from insurance companies dictating how data issues need to be resolved. My first piece of advice is to establish what your partners expect of you because, whilst the data commissioner might give you 72 hours to report certain types of breach, I am now contractually bound to give others 24 hours notice. Probably because they want the lions share of the deadline to get themselves ready. They also insist on certain types of data security and issue tight deadlines on “data subject access requests”. Cheeky but true.

 

So have you read all your contracts recently?

 

At least some of our partners are decent enough to tell us they’re being updated. Other contracts, like insurance policies, already cater for the change with clever wording. Where it states that they expect you to be complying with the law it actually means that as soon as the law changes, you have to be compliant with the new one. They don’t need to wait for the renewal of a contract to make you keep up with legislation. They’ve already taken care of it.

 

Are you going to read all your supplier or partner contracts? Probably not. Who has the time? I hear you sigh! Keep these in mind when you are changing your policies that are affected by GDPR. There might be a clash. You might want to notify them with 72 hours, yet they might stipulate immediately. Forewarned is forearmed and I don’t think fines are going to cause the biggest headache. I think it will be interruptions to business and loss of reputation and/or clients.

 

Government crack the whip

 

I have a feeling that the government announcement last week, that it would try and reduce the compensation culture by cracking down (again) on so called “whiplash” claims, might fuel the class action culture that Morrisons supermarkets find themselves subject to. There are a lot of companies that rely on that revenue stream (it’s in the billions) and they will switch to the next as quick as they went from PPI to holiday sickness claims. And PPI is coming to an end.

 

Wrap Up: We’re not overly concerned about the deadlines imposed by our supply chain because we have the resources to cope with them. Yet we’re very pleased we know what they are because a data breach causes enough confusion on it’s own.

 

Top Tip: Once you’ve assessed your position, review your contracts to see what else you might need to weave in. This is a once in 20 year opportunity to engage with your stakeholders. Done well, it will build trust regarding data and how you want to keep it safe. That trust is gold dust in the current climate.

How to protect risks to cashflow with insurance

PROTECTING CASH FLOW2

This blog is about protecting cash flow, especially if those that owe money go bust.

Welcome back, or if you’re new here sign up to our orange RSS button to the top right of this page to receive insurance tips, new posts, plus details of events and promotions that could help you or your network reduce the risks facing their organisation

What if a buyer goes bust?

With the global recession and Brexit, business owners are having to consider the impact this could potentially have on their business.  What if a client goes bust?  If a company is owed significant amounts of money from clients, it is a major risk to cash flow.

Gareth came to us with these questions and more.  He knew exactly what he wanted from an insurance.   Dealing with imports he needed peace of mind that he had cover if stock went missing.  He also needed to know that his invoices were covered if products didn’t reach the consumer. We took time to completely understand Gareth’s business to a granular level.

What if they don’t want to pay?

Business Owners need confidence that they are going to get cover that matched their needs and not be sold an off the peg insurance that doesn’t quite do the job.  After negotiating with underwriters we carefully selected the options that matched Gareth’s broad requirements.

One option included protection against protracted debts or liquidations relating to companies that had been invoiced. It often helps with obtaining quicker payments, from companies that are happy to share the debt, when the risk of a default is backed by credible protection.

What are the risks when reducing risks?

Following up with a meeting to go through the small print and fully explain terms, conditions and exclusions is a must.  We tell it like it is, the good and the bad so our clients can make informed decisions.

The devil is in the detail and it is often a surprise to everyone, including us, when it is interpreted based on a particular business. It’s our duty to actually recommend protection that fits each client and the most appropriate has to meet their needs, rather than provide the dreaded false sense of security.

 

Wrap up; Small print can be seen as an enemy yet there’s a lot that can be learned from it. Read our blogs on the different types of policies available. I used to be surprised at the number of people that told me that they had already covered everything, then sent me documents riddled with exclusions. I now know it is a common occurrence in our sector.

Top tip; Some people find out when it’s too late.Review your debtors regulary and watch out for slow payers and avoid companies that are shown as risks on credit checks

Power (back) to the people?

 

 

Have the EU given data Power (back) to the people?

 

This blog is about data protection, how the laws are used against us and how the new broom will try and take miscreants to the cleaners .

Welcome back, or if you’re new here sign up to our orange RSS button to the top right of this page to receive insurance tips, new posts, plus details of events and promotions that could help you or your network reduce the risks facing their organisation.

 

Data protection

 

It has always miffed me when the data protection act was used against me, especially when I know it was designed for me…to actually protect me. And you of course. I’m referring to the times when, with no malice in mind, I have been refused access to bank accounts, utility bill payments and more with the comment “It’s against our data protection policy to” help you.

I know that some of the people that have told me this were on a work avoidance programme (known as WAP when I worked in corporate’s). Their colleagues confessed in the bar. I now know privacy “defence” is used against us when it suits the data controller.

Thanks to this video showing how defences fold when a little “social engineering”, also known as lying, is used to break an individual’s defence down. The video shows how hackers (in 30 seconds) get access to personal or private information with a little trickery involving children of all things. Thank God the children aren’t real. It left me wondering why I can’t access my information when others can.

 

Plan of the insurers

 

Perhaps this is why European legislation fines companies 4% of turnover (not profits) following avoidable breaches. Even more interesting are the requirements to notify interested parties of a breach within 4 days of it happening. Since the old act was introduced, times have moved on and technology has increased the speed of such change. Surprisingly enough, insurers do have a plan. Not the Insurer’s you’ve heard off.

There are a new breed offering services as well as covering fines, legal costs and clean up costs. Having said that, very few of our data breach enquiries end up with insurance policies being required. It’s usually education that reduces risk. If you think that’s what you need get in touch to get a free trial (it’s on us). Because I have no doubt that we will adopt the EU data act, sooner or later. If we are not in Europe there will be greater scrutiny in weaknesses in the offerings of UK Plc.

It will become a business imperative to have the highest threshold of data security in the World. If the Panama Papers haven’t made people think carefully about what they have that’s important, private or confidential, nothing else will. Once the high risk data has been secured in your version of fort knox, you can then secure the next level of lower risk data and so on.

 

What now?

 

So you may well start preparing now. Or you could wait for the authorities to point the finger and aim their inspectors at someone else. These issues are extremely rare. The new breed of data inspectors will be targeted to find breaches so they can fine people. Now that the £35 per year Data Protection Register annual charge is being scrapped, the DPA will only get paid if they manage to raise funds through fines.

Data breaches will be a lot easier to spot than health & safety breaches so anticipate people with an axe to grind to start blowing the whistle. I also anticipate the forces that drove the compensation culture (whiplash anyone) will be a problem for those that don’t meet the regulations. I have no doubt that Data Protection inspectors will offer low paid workers (like cleaners) fees for “introducing them” to parties that have weak security. It will cost them nothing, they have a degree of protection from being disciplined when the whistle is blown, if it is for the “greater good”. If it were a Panama Papers employee that went rogue, I doubt they would suffer a severe penalty.

Wrap up; The people that were behind whiplash claims being made fraudulently or exaggerated have moved on. At the moment there are chasing ambulances (an American term) straight into the A&E departments. This because it is easier to exaggerate or commence a fraudulent injury claim when there is no car involved. It’s only a matter of time before they move sideways into data.

Top tip; As for the referendum, have a plan for staying and another for going. Keep both simple.

Contracts, Consultants and indemnity‏

Jason really was amazing, he managed to find insurance cover for me as a consultant valuation surveyor when no one else could. He  kept me informed of progress continually. I  would thoroughly  recommend him.”

                                –  Robin Smith, FRICS

Getting your contracts in order

 

Robin called me saying “I need urgent assistance”. I’ve won a contract yet they’re asking me for insurance and nobody can provide me with what’s needed. This is something we deal with every week because a lot of insurance providers have placed their products on the Internet and don’t have the facilities to give advice as to what fits.

Welcome back, or if you’re new here sign up to our orange RSS button to the top right of this page to receive insurance tips, new posts, plus details of events and promotions that could help you or your network reduce the risks facing their organisation.

The contract wasn’t complicated or onerous yet it was specific. The type of work to be carried out was slightly unusual yet the problem wasn’t the work it was the availability of cover. Robin also had a deadline to meet and so the frustration in finding red herrings all over the Internet was understandable. There were many providers that said they could offer the cover Robin needed but as soon as he scratched the surface they turned and ran in the opposite direction.

 

Insurance and contracts are usually at odds

 

Another challenge for Robin was that the contracts told him the terms and conditions of undertaking the project yet the insurance available has to be compare to the contract to ensure they dovetail. There are clauses in contracts that relate to insurance and there are clauses in insurance policies that relate to contracts.

Most insurances available via the Internet are no good when compared to contracts. The fact that so many insurance providers allow people to buy insurance without speaking to anyone is brilliant. Especially when you need something in a hurry. It’s not so brilliant when you need to speak to somebody and find that the Internet and, in particular the website that you found it on, doesn’t take your calls.

 

Whatever next?

 

Sometimes those awarding the contract start reading the insurance themselves and asking questions. Being cynical, they often ask these questions when they are due to pay an invoice. I’m not saying that they use this as a tactic to delay payment yet, if the insurance doesn’t meet the requirements, they will delay payment.

This happens most often when small businesses are working with a large company with an in-house legal team. They accept the insurance documents and only start checking the details when they are due to pay. This is so common we make sure that the insurance stacks up before it’s issued rather than suffer the pain of the late payment at a later date.


Wrap up
; Temptation to accept a contract with a large company is great. The offer may seem fantastic yet their requirements can offer the water down the profitability.

Top tip; Make sure you check the cost of the insurance before you negotiate your fees or payment terms. You might need insurance for a contract yet you don’t want to end up with zero profit.

Say it but don’t blame me

Sometimes it’s best to help your prospects understand what you offer that your competitors don’t rather than trying to highlight the inadequacies of your competitors. This is specially the case when the comments you make are in public especially when your competitors get angered easily and or have very deep pockets or in-house legal teams. This article explains what happens when someone is unhappy  with what you say about them, how to avoid it and what you can do about it.

Welcome back, or if you’re new here sign up to our orange RSS button to the top right of this page to receive insurance tips, new posts, plus details of events and promotions that could help you or your network reduce the risks facing their organisation.

I have a client who has produced software that is absolute outstanding and reduces the amount of time you and I spend waiting for organizations to answer our calls. It also reduces the number of staff call center require and I think it’s a product that provides everyone with a benefit. They have nearly 1 million subscribers to their app so they must be doing something right.

There was a time, before they appeared on “Dragons Den”, that they were looking to generate a buzz about their business. They talked to a marketing consultant and eventually persuaded to use a marketing expert who’s specialized in generating PR for technology based businesses. It all sounds great, everything heading in the right direction.

 

We didn’t say that did we?

 

The marketing expert had decided to seed the press and other relevant forums with explanations about the different waiting times that people experience when calling well known companies. In theory these companies were not competitors to our clients. They were irked even angered, to find them self at the top of a table highlighting which companies leaves callers on hold for the longest time. The angriest was a particularly large company in the health industry and they decided to issue a letter asking our client to explain exactly where they got their information from and asking them to remove any reference to that company from the public domain. This was an understandable reaction to an article that was supposed to improve the profile of this client yet it just sort to anger a party they didn’t needed to anger and caused many other problems internally. The initial panic should never be underestimated when you get a letter from a in-house lawyer because they have so much time on their hands to deal with such issues.

naturally my first question to my client was had they actually made the points that the in-house lawyer objected to. Their answer was it wasn’t us. Yet when I used Google I found the article was credited to them. At which point they said it was an outsourced marketing expert who had put these articles together. I asked if the marketing expert had provided evidence of their insurance. Blank looks all round. I asked if the marketing expert’s research had been checked by my client. More blank looks. I asked if the marketing expert had used an specialist to research the details they were using. The blank looks continued.

 

Shall we tell them it wasn’t us.

 

This was the comment my client made next and I asked them if they thought that would send the complainant off towards the marketing company and they realized that was probably never going to happen. If that were the case, everyone would simply say someone else did it in our name and no one would ever seize or desist when the lining someone. Fortunately they didn’t need to have this conversation because we had already provided them with a legal defense if allegation of liable defamation or breach of confidentiality were leveled at them yet they still had learned a valuable lesson about suppliers. These days very few businesses are self contained. Nearly every company I know relies on a employee or another organization to help them deliver their product or services. However not all such businesses are as careful as they should be and you can either be guilty by association or considered guilty because something is done under your umbrella.

Top Tip:
Check your suppliers carefully if they have insurance and it is fit for purpose you can give them a free rain, which makes your life easier.

Wrap up:
If they don’t have insurance you shouldn’t be dealing with them. Because at best, your insurance premiums will creep up as your suppliers make mistakes. That’s like buying car insurance and allowing the worst driver you know and drive even though they are already banned.