Security is now your number one priority.Be sure you get the correct advice.

Because you hold some of your customers’ most sensitive data – credit cards, passports, addresses – you’ll now need to take cyber security much more seriously.

Board level hires in the area and wholesale system replacements are likely to be the new normal to satisfy both customers and shareholders. Data Loss Prevention Policies will have to extend to cover all the solutions you use – not just the ones that live in your own offices. This will mean a great deal of expense – especially considering the regulatory requirement for new hires like the Data Protection Officer.

Be sure that you have a partner on hand to walk you through exactly what your business will need.

You need to be ready to showhow you’re safeguarding data

Because this information is so sensitive, a big part of your brand’s integrity will now rest on how – and with what – you protect data.

You’ll need to invest in security training and coaching for your staff – they represent your first line of defence and your biggest risk. Your systems must be protected against all points of attack. And you’ll have to pick apps that are both compliant with the new regulations and secure against attack.

You may have to revisit pricing strategies

Because customers must have knowledge of how you use their data (and must have explicitly consented to this use), customising price points to individual customers will likely become much more difficult.

You may, however, be able to use compliance as a competitive advantage by more fully involving the customer in your strategy, by making it clear that letting you use their data will get them a better deal.

Disclosure now represents a much larger burden in some countries following a breach. There’s a 72-hour clock for a company to report breaches to their Supervisory Authority. Not to mention any affected customers.

Which means you’ll probably pay out much more towards setting up disclosure centres when these breaches happen.

Start demanding much more from your policyholders when it comes to security procedures. They should at the very least have breach detection and response protocols in place, alongside solid Data Loss Prevention (DLP) policies.

You should expect them to be able to give you a full rundown of their compliance in terms of both policy and systems. (This won’t represent much of a burden for them – if they regularly process data, they’ll have to demonstrate this to their DPO anyway).

1. GDPR Article 22

 

 

2. PWC, Standing out for the right reasons: Getting insurers ready for the GDPR, May 2016