GDPR: Is it just another strict regulation or a great opportunity for operational excellence? Xenofon Liapakis General manager CIO & Services of Interamerican group Chairman of Hellenic CIO forum November 2017
Interamerican at a glance The most famous brand in Greek Insurance Market The highest brand awareness: Interamerican: 99% Anytime: 98% Market share: P&C: 11,9% Life: 5,4% Financial results 2016: Profit: 21M GWP: 329M The only insurer with its own Health and Assistance infrastructure Successful implementation of multi distribution model The 1st direct insurer in Greece through Anytime Innovative products in Investments, Health, Assistance Group employees: 1.154 Unique customers: 950.000 for INTERAMERICAN 290.000 for Anytime Customer satisfaction: INTERAMERICAN: 84% ANYTIME: 91%
GDPR: History & Timeline 2012 2015 2016 2017 2018 JANUARY 2012 DECEMBER 2015 APRIL 2016 DECEMBER 2017 MAY 2018 European Commission Proposes GDPR GDPR Agreed European Parliament Adopted GDPR Achmea & Opcos Adopt GDPR GDPR Takes Effect
GDPR: General Content Data Subject Entity or person that processes Personal Data on behalf of the Controller Data Controller Entity or person to which the data are transferred.
GDPR: Key points Focus on Data Subject Rights. Accountability both for Data Processor and Data Controller Data Breach announcement to Supervisory Data Protection Authority not later than 72 hours Implementation of Security measures and structures within organization Assignment of Data Protection Officer role and responsibilities Sanctions range from10.000.000 up to 20.000.000 or from 2% up to 4% of the total worldwide annual turnover in case of breach
GDPR: Private Data Digital Identifiers Private Data Demographic Data Government Identifiers IP Address(V4, V6) MAC Address X/Y Geographic Coordinate Facebook Twitter Social Media Instagram Name Gender Date of Birth Age Nationality Country City Postal Number Phone Number Email Address National ID Passport Number Social Security Number Driver s License Vehicle Registration Number Organization Special category of personal data CV Employee Number Bank Account & Credit Card Number Genetic data Biometric data Gender Race Ethnicity Sexual orientation Political opinions Children Data Religious beliefs Philosophical beliefs Trade union membership Criminal record Medical Data
GDPR: New Principles Right to be forgotten Data portability Regulation of profiling Data Monitoring Registry of Reports & Processing Classification Structured/ Unstructured (PII/SII)) Wider definition of personal data Strengthening Data Privacy Accurate Data Explicit consent Liability both for a controller and a processor Mandatory data breach notifications Accountability for Data Controllers & Processors Sanctions for non-compliance /data breaches GDPR Encryption & masking DG & Security Perspective Rules for Profiling Data User Authorization Incident Management process Providing access to personal data
GDPR: Our roadmap Implement Privacy Solutions Intergrade Privacy into Operations Evaluate KPIs & execute scenarios in order verify GDPR compliance Record outcomes and Identify Gaps & breaches 8 Create Governance & Assign Stakeholders 1 Execute PIA 7 9 Analyze Regulation 2 10 11 Engage Company Establish Methodology Functions Approach 6 5 Define GDPR & PIA Present Regulation Framework to High Management 3 4 Continuous Awareness s Program
GDPR: Our maturity status Personal Data Personal Data Safeguarding Data Processing Basic Breach Subject s Rights Principles Notification Level 2 Level 2 Level 3 Audit and Organizational Policies and Continuous Structure Procedures Improvement Level 3 Level 3 Level 2 Based on CMMI Maturity Model Security Level 3 Legend 1 Initial 2 Managed 3 Defined 4 Measured 5 Optimized
GDPR: Our findings Consent Requests for consent for different purposes are not distinguished. Consent is opt-out Retention Portability Retention periods for personal data are not clearly defined. No policy for satisfying requests for personal data portability. Security USB ports are enabled on all corporate PCs and Laptops. Emails containing personal data are not encrypted Forgetness Collection Purpose Contracts Audit Data Breach There are no mechanisms for personal data erasure. Not all data collected, stored, transferred etc. are necessary for the purposes of personal data processing The template contract between IAG and an insurer partner is not updated based on GDPR provisions The scope and criteria of the internal audit process does not include personal data protection requirements. The security incidents records do not include all the required information regarding personal data breaches.
GDPR: Our implementation approach Assign the role of Data Protection Officer (DPO) and define responsibilities Confirm existence of Data Owner per data category Document a personal data protection policy Strengthen employees awareness's & Clean Desk policy Review and Adjust processes to satisfy requests from data subjects Review the policy chapter of removable media. Encrypt or Mask personal information depending on purpose. Create a personal data processing register Review and update contracts with processors Consolidate security incidents cycle to accommodate personal data breaches Define KPIs for the measurement of GDPR performance
GDPR: Data Breach Cycle Investigation Reporting to IA & Achmea Evaluation & Decision Notify Supervisory Authority Notify Data Subject Breach Awareness of breach A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed
GDPR : Our effort per area Awareness Policies & 10% procedures 10% Security 10% Data Governance 70%
Last but not least. Set up a Clean Desk policy Ensure paper documents are safely stored and disposed of Classify Unstructured data Employee involvement through continuous awareness Verify Processors compliance Control requests for data
GDPR : Post implementation Benefits Strengthen customer trust and customer relationships, resulting in loyalty Enhance market reputation & business cooperation Competitive market advantage Strengthen security & minimized security Incident Digital benchmark through PIA Smart Big Data leads to better, safer, faster processing Elimination of redundant or duplicate data leads to reduced costs & faster processes
GDPR is not just another framework or regulation but a great opportunity to enhance operational excellence!