Data Protection changes: Are Insurers Ready?

On December 15, 2015, the European Parliament and the European Council agreed the EU Data Protection Reform, promising to make Europe fit for the digital age, but what is the General Data Protection Regulation (GDPR), what is its scope, and what do organisations need to do to comply with this new regulation.

What is the scope of the GDPR?
One of the first things to mention is that the scope of the GDPR is global, so long as your organisation is processing personal data about those residing in the EU. Importantly this applies to organisations irrespective of if they charge for the services that they provide, and it does not matter if the organisation has a presence in the EU or not.

In terms of financial service companies, this means that a non-EU company that offers services to those residing in the EU will have to comply with the GDPR despite the fact that they are neither based in, or have a presence in the EU. This has wider implications for those providing data hosting and cloud type services, or indeed social networks (such as Facebook) who will have to ensure that they comply with the regulation.

What is the GDPR?
The GDPR is an update to the European Data Protection Directive (DPD) which first came into force in December 1995, with the aim to provide protection of individuals and the processing of their personal data in the European Union. Considering that at the point of its implementation the internet was still something used by geeks and tech hobbyists, the directive could never have predicted how the world would change over the following 21 years, so this directive is long overdue for an update.

How is the GDPR Different from Existing Data Protection
Many of the basics of GDPR and its predecessor the DPD are similar, there are some key differences that mean that an organisation that is compliant with the DPD won’t necessarily be compliant with the GDPR.

Fines
Fines could be issued until the DPD, they were not what many considered to be punitive in their amounts. Under the GPDR, fines can be up to €20m or 4% of global annual turnover whichever is the higher. Resulting in a far more serious fine structure that will no doubt have organisations globally taking the GPDR a little more seriously.

The Global Scope
The scope of the GDPR is global. Anywhere where private information that relates to people residing in the European Union is processed (this includes, collection, storage, updating, viewing, reporting or use of), it must be safeguarded and treated in accordance with the tenants of the GPDR. Failure to do so could result in fines being levied against the company, particularly if their actions lead to a loss of information or a data breach. It is important to remember that private information does not just relate to information that is captured for the purpose of providing a service, but also includes information that your organisation holds about its employees.

Simplified Breach Reporting
If a data breach, or loss should occur, the process for reporting has been simplified under the GPDR, which requires data controllers to notify the appropriate supervisory authority of the personal data breach within 72 hours of learning about the breach. The notification must describe:
• the nature of the personal data breach
• the categories and approximate number of data subjects affected
• the likely consequences of the breach
• the measures the data controller has taken or proposes to take to address and mitigate the breach

The data controller should also provide the contact details of their Data Protection Officer (DPO) when reporting a data breach. Additionally, a data processor is required to notify a controller of a data breach “without undue delay”, the controller should then take appropriate action, including notifying the supervisory authority as described above.

The Use Cases
There are a number of new or extended rights that a data controller must perform, ether at the appropriate point in the lifecycle of the data, or in some cases at the request of the data subject or supervisor.

The Right to Erasure
Article 17 of the GPDR describes the right to erasure, this is sometimes known as the right to be forgotten. This means that a data subject’s data must be erased without undue delay when the data is no longer required in relation to the purpose for which it was collected.

For an insurance company this means that private information must be deleted once the policy, is cancelled, has expired or is not renewed. This article also says that a data controller may have to restrict use of data whose quality has been contested by the data subject.

The Right to Portability
Article 18 provides the data subject the right to request personal data of theirs that is automatically processed. The purpose of this export is to allow a data subject to more easily change service provider by being able to provide their data to the new service provider. This data should be provided in a structured and commonly used, machine readable format. It is possible that a number of (sector specific) standards will spring up after the GPDR comes into force, however, at the moment it is likely that organisations will have to do some work to import the data in from their competitors.

Unambiguous Consent for Use of Data
In common with the DPD, an organisation collecting personal information from EU residents, must clearly state the purpose for which the data is being collected, and the data subject must provide a clear and unambiguous consent for the use of their personal information for that purpose.

In the case of using personal information for marketing (as a secondary purpose) it is best practise for this use to be clearly identified and for the data subject to be able to opt-in to the receipt of marketing information.

It is imperative that organisations maintain an accurate record of the data subjects agreement for their data to be used for the primary and any secondary purposes. Failure to do so may invalidate the organisation’s right or ability to use the data as desired.

Right of Access
Data subjects have the right to ask a data controller if personal information about them is being processed. This right also allows for the data subject to request a copy of the personal information that the controller holds on the data subject, this information must be provided without undue delay, but a small fee can be charged by the data controller to provide the information.

What this means for an insurance company is that it needs to be able to perform a Right of Access report that would provide the details of a data subject should they make such a request. For most firms this may be complicated by their use of several systems (e.g. policy administration systems, claims systems, finance systems, HR systems), this will be further complicated if the organisation has been acquisitive and has not consolidated its systems. Where the information is not held in a data warehouse or other centralized repository, the Right of Access report may need to be created a number of times.

Any information provided to the data subject should be decoded, so if for example the information provided includes details of a processing office, this should be decoded from the internally used code to an understandable description (e.g. B7 become Sheffield Office).

The Need for a Data Protection Officer
A Data Protection Officer is mandated in certain circumstances (particularly where sensitive personal information is processed by the data controller) and for larger companies. Smaller companies are likely not mandated to have this role, but are likely to have the requirement on at least a part-time basis.

This person will be the person who is the point of contact with the data protection authority, will be involved in actual or suspected data breached, and will likely be the person who reviews the right of access requests to ensure they are valid.

Transferring Data Outside of Europe
Some organizations will be familiar with the difficulties in 2015 when the Safe Harbor Agreement principle (this allowed an organisation to send data to another company or another part of their own company based in the US) was deemed to be invalid.

The GPDR allows the establishment of Binding Corporate Rules (BCR) that allow data to be transferred outside of the borders of the European Economic Area, so long as it remains within the group. There is a process that needs to be followed to get the BCR in place and approved by the DPA, more information available from your chosen DPA.

What does my Firm Need to do?

Insurers need to implement changes to computer systems to ensure that new use cases and regulatory requirements are supported while reviewing and changing your data orientated policies and procedures to ensure that they are compliant with the new requirements.

Underwriters, brokers and risk managers need to ensure that their organisation’s processes ensure the security and quality of the data being collected and set up Binding Corporate Rules to allow data to be transferred outside of the EEA. Finally they need to implement business process change to ensure that new processes meet the requirements of the policies.

When does this have to be Active?

2018 seems like a long time away but don’t be complacent about the timeframe. Many financial services companies have a large change agenda (the number of projects that they need to complete) at the moment so leaving an important project until the last minute is unlikely to be an option.