General Data Protection Regulation
After Solvency II, the European Union is ready for its next big and comprehensive regulation, called GDPR (General Data Protection Regulation). GDPR was approved by the EU Parliament on 14 April 2016 and after two-year grace period, it will be effective from 25 May 2018! The new regulation GDPR will replace the current Data Protection Directive 95/46/EC. Naturally, this brings much more than the existing directive.
Regulatory Landscape and Breaches
The first key point of the new regulation is protecting all EU citizens’ data privacy with an extended regulatory landscape. With GDPR, new data privacy rules should be applied to all personal data of subjects residing in the European Union, regardless of companies’ locations.
With GDPR, fines for possible breaches were increased sharply. Breaches can be fined up to 4% of annual global turnover or 20 million Euro (whichever is the greater ). Another radical change in GDPR is, regulations will be applied not just controllers, also for processors. So, cloud processors were also included in legacy scope.
Approval of data owner about usage was also a key point in the previous directive. In GDPR, usage of consent was regulated customer-centric. Mentioned document should be prepared in an understandable, simple and easy-accessible way. Furthermore, also consent withdrawal should be made easy for customers.
Notification and Access Rights
With GDPR, breach notification will become mandatory and should be performed within 72 hours after becoming aware of the breach. Notifications will be performed by data controllers to all affected data owners about possible risks for rights and freedoms of individuals.
“Data Erasure” or ‘Right to be Forgotten” were also regulated by GDPR. According to owner’s request, data can be made no longer relevant for original purposes for processing. The key term in this subject is ‘the public interest in the availability of the data’. So EU still leaves an exit strategy for using data when it was found to be necessary.
DPO and Hierarchy of Data
Another crucial point is building a hierarchy of data security within companies. With GDPR, users of data should build a structure for allowing access of not every employee but just related ones. After enforcement date, companies should appoint a Data Protection Officer (DPO) who must report directly to highest management level and must not have any responsibilities that bring possible conflicts of interests. GDPR should also make any important notifications about local Data Protection Acts (DPAs) and finalized notification requirements according to local DPAs. Regulation specified internal record keeping requirements and DPOs will be responsible from regular and systematic monitoring of data traffic.
GDPR and Insurtech
With the increase of connected IoT devices, real-time data collection and high profile cyber-attacks, data security and privacy appeared as the main threats against Insurtech. Although, customers will be more eager and feel more comfortable if they will be satisfied about data privacy as a common standard without regard to the size of the company. With GDPR, the main triggers of Insurtech like IoT, machine learning and much more won’t be considered as possible tools for data breaches and GDPR will be a spontaneous trigger of Insurtech!
GDPR and Its Effects on the Turkish Market
Even if Turkey is not a European Union member, Turkish financial institutes have many EU located customers which will be covered by GDPR. Furthermore, as Solvency II, Turkey will be pushed for making similar regulations by international financial groups which control 80% of insurance market and 60% of banking sector. As it has been discussed for years, data privacy regulation of Turkish financial markets is found very weak and not customer-centric by sector professionals. The rights to data access and penalties were already regulated in the current data privacy act. However, the regulatory landscape, right to be forgotten and privacy design are still open issues of act and consents are not still customer-centric and still not as easy to withdraw consent as it is to give it. Furthermore, Turkey financial markets are now preparing for new regulations on data privacy and above mentioned points will be possible improvements for next data privacy act named as KVKK.
1,517 total views