The pain of GDPR compliance and the long term effects

 

GDPR has no exemptions that organisations I work with can rely on, perhaps for the first time with data, we are all in it together.

The challenges facing organisations trying to comply are magnified by the amount of “fake news” surrounding it. I haven’t been surprised by the feeding frenzy from those trying to cash in yet I am somewhat alarmed by the number of “experts” on this untried legislation. I understood that it took 10,000 hours to become an expert in something and I’m wondering how the experts managed that. C’est la vie.

What truly concerns me is that this is a massive cultural change and I fear that the policies being written and disseminated are not going to empower the people that need to deal with data on a daily basis. During my 29 years in the field of risk, insurance and business continuity I have seen many issues that could have been avoided by educating people. Yet it seems that policies are written to ensure employment or contracts can be terminated rather than actually encouraging people to comply. I realise that this is partly due to legal precedent yet motivating people by fear is far weaker than motivating them by other means.

Having listened to many people and taking in copious amounts of information, I think that the feeding frenzy has prevented people from understanding the “mission” of the data regulators. They want organisations to be careful with data and respect the wishes and privacy of people like you and I.  It is not a lot to ask yet achieving that aim is undoubtedly awkward. It is a lot less awkward if the culture of an organisation recognises this.

I have this awful nagging doubt that people will not be motivated to do the right data thing if they are told off or, disciplined when they make mistakes. I’ve seen many policies that tell people what to do yet they are rarely allied with the cultural piece. Even rarer is the right level of education and reinforcement that motivates.

The deadline will come and go yet the mission of the regulator is not going to be achieved if the culture of blame continues to be the most pervasive in organisations. One issue that no-one seems to have thought about is the way salespeople treat data. Arguments over who owns it are regular, especially with the advance of online networks. Roughly 50% of people take data with them when they leave one organisation for another. There are at least two companies in breach when this happens and the individual has broken the law. It is theft after all.

The existing regulations state that this shouldn’t happen yet half of the population think it’s OK to take it when they really know that they shouldn’t. It could be argued that the policies that discipline people have worked because they have stopped the other half from doing this. Yet half is not enough. It should be a single digit number, at the very worst.

So policies and procedures are not working now. New ones will not change that if they don’t address the cultural side of human behaviour.

What can be done?

A new type of policy is required. Naturally, it should start at the top of an organisation. It should motivate people to change the way they think about data. It should be readable, not shrouded in jargon. It should reward people for doing the right thing. It should be something that everyone is reminded about. But not “beaten up” over.

 

Jason Cobine is an Insurance broker in London who works with businesses and charities. He has built a business from scratch, without pilfering data so he knows how hard it is. Yet it was a cultural decision that has been proved to be correct.

 

The GDPR is coming. Time to sit down, relax and take stock

This article is about the feeding frenzy taking place, how to avoid it and what to look out for in the run up to GDPR lift off.

 

Welcome back, or if you’re new here sign up to our orange RSS button to the top right of this page to receive insurance tips, new posts, plus details of events and promotions that could help you or your network reduce the risks facing their organisation.

 

The vultures have been circling for some time now.

 

Plenty of people are putting the frighteners on good people that just want to survive the supposed relentlessness of heavily armed Data Commissioners issuing fines aplenty. Which will not actually happen. The ICO simply haven’t got enough resources to do that. Much like other agencies that are not for profit.

 

Speaking of which, it is those that are for profit that we need to be wary of. I’ve received several updated contracts from insurance companies dictating how data issues need to be resolved. My first piece of advice is to establish what your partners expect of you because, whilst the data commissioner might give you 72 hours to report certain types of breach, I am now contractually bound to give others 24 hours notice. Probably because they want the lions share of the deadline to get themselves ready. They also insist on certain types of data security and issue tight deadlines on “data subject access requests”. Cheeky but true.

 

So have you read all your contracts recently?

 

At least some of our partners are decent enough to tell us they’re being updated. Other contracts, like insurance policies, already cater for the change with clever wording. Where it states that they expect you to be complying with the law it actually means that as soon as the law changes, you have to be compliant with the new one. They don’t need to wait for the renewal of a contract to make you keep up with legislation. They’ve already taken care of it.

 

Are you going to read all your supplier or partner contracts? Probably not. Who has the time? I hear you sigh! Keep these in mind when you are changing your policies that are affected by GDPR. There might be a clash. You might want to notify them with 72 hours, yet they might stipulate immediately. Forewarned is forearmed and I don’t think fines are going to cause the biggest headache. I think it will be interruptions to business and loss of reputation and/or clients.

 

Government crack the whip

 

I have a feeling that the government announcement last week, that it would try and reduce the compensation culture by cracking down (again) on so called “whiplash” claims, might fuel the class action culture that Morrisons supermarkets find themselves subject to. There are a lot of companies that rely on that revenue stream (it’s in the billions) and they will switch to the next as quick as they went from PPI to holiday sickness claims. And PPI is coming to an end.

 

Wrap Up: We’re not overly concerned about the deadlines imposed by our supply chain because we have the resources to cope with them. Yet we’re very pleased we know what they are because a data breach causes enough confusion on it’s own.

 

Top Tip: Once you’ve assessed your position, review your contracts to see what else you might need to weave in. This is a once in 20 year opportunity to engage with your stakeholders. Done well, it will build trust regarding data and how you want to keep it safe. That trust is gold dust in the current climate.

How to protect risks to cashflow with insurance

PROTECTING CASH FLOW2

This blog is about protecting cash flow, especially if those that owe money go bust.

Welcome back, or if you’re new here sign up to our orange RSS button to the top right of this page to receive insurance tips, new posts, plus details of events and promotions that could help you or your network reduce the risks facing their organisation

What if a buyer goes bust?

With the global recession and Brexit, business owners are having to consider the impact this could potentially have on their business.  What if a client goes bust?  If a company is owed significant amounts of money from clients, it is a major risk to cash flow.

Gareth came to us with these questions and more.  He knew exactly what he wanted from an insurance.   Dealing with imports he needed peace of mind that he had cover if stock went missing.  He also needed to know that his invoices were covered if products didn’t reach the consumer. We took time to completely understand Gareth’s business to a granular level.

What if they don’t want to pay?

Business Owners need confidence that they are going to get cover that matched their needs and not be sold an off the peg insurance that doesn’t quite do the job.  After negotiating with underwriters we carefully selected the options that matched Gareth’s broad requirements.

One option included protection against protracted debts or liquidations relating to companies that had been invoiced. It often helps with obtaining quicker payments, from companies that are happy to share the debt, when the risk of a default is backed by credible protection.

What are the risks when reducing risks?

Following up with a meeting to go through the small print and fully explain terms, conditions and exclusions is a must.  We tell it like it is, the good and the bad so our clients can make informed decisions.

The devil is in the detail and it is often a surprise to everyone, including us, when it is interpreted based on a particular business. It’s our duty to actually recommend protection that fits each client and the most appropriate has to meet their needs, rather than provide the dreaded false sense of security.

 

Wrap up; Small print can be seen as an enemy yet there’s a lot that can be learned from it. Read our blogs on the different types of policies available. I used to be surprised at the number of people that told me that they had already covered everything, then sent me documents riddled with exclusions. I now know it is a common occurrence in our sector.

Top tip; Some people find out when it’s too late.Review your debtors regulary and watch out for slow payers and avoid companies that are shown as risks on credit checks