You may have heard about the implementation of the General Data Protection Regulation (GDPR), which is due to take place on 25 May 2018; let’s take a look at GDPR and the Insurance Industry in more detail. This type of in depth consideration is important, as failure to comply with GDPR rules could lead to the imposition of significant fines and other sanctions.
One thing it’s important to note is that the GDPR applies to insurance companies across the globe; not just those that are based in EU member states. If your company processes the personal data of any EU citizens, as part of its operations, then it needs to comply with the GDPR. All of this means that you need to ensure all of your preparations are complete, before the GDPR becomes a reality.
New obligations for data processors
One of the biggest changes, when it comes to GDPR and the insurance industry, is that the responsibility for ensuring that rules are complied with is now shared between data controllers and data processors. Previously, the onus was on data controllers to ensure the security of the processing of the data they controlled. Data subjects are now able to take action against data processors as well as data controllers, should there be issues with the processing of their data.
Given that most insurance providers are data controllers, which rely on third party processing, rules under GDPR could actually be fairer for them. That being said, it’s important that any contracts between insurance companies and data processors reflect the need for all parties to be GDPR compliant.
GDPR and the insurance industry – profiling
Another area where GDPR is likely to have a major effect on the insurance industry, once it comes into force, is profiling. The use of profiling is prevalent in the insurance industry, in order to undertake actions such as setting premiums, detecting potential fraud and creating direct marketing campaigns.
Under GDPR, a new definition of profiling is created. This definition refers to profiling as being any automated decision making process, especially the analysis and prediction of performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements. As you can see, this covers most an aspect for which profiling is applied in the insurance industry.
There is a new right, introduced under Article 30 of the GDPR, which states that no-one should be subject to a fully automated decision except when such a decision is necessary as part of a contract between the data subject and the data controller, the decision is required by law, or explicit consent has been provided by the data subject.
It’s worth noting that this right only applies when the entire decision is made using an automated process, and there is no human intervention involved.
Problems when is comes to contracts
If you are thinking about GDPR and the insurance industry, you may believe that the situation around the use of profiling could be fairly simple. After all, is it not possible to prove that automated decision making is necessary for the completion of contracts? But what about where there is third party involvement in the contract, such as a named driver on a motor policy or what about when a policy covers many employees within a business? In cases such as these, it’s not possible to have a contract between the other parties and the data controller, so there would need to be legal reasons for the profiling, or explicit consent. It’s likely that this consent would need to include all parties included in the policy, and therefore included in the automated decision making process.
The changes involving consent
At this point, it’s a good idea to take a look at how consent has changed with the introduction of the GDPR. Given that consent is one of the major reasons why personal data can be processed; it’s important to understand what these changes mean. Let’s take a look at what you need to think about when you are ensuring that consent is in place:
- Consent should be fully informed. The data subject needs to be fully aware of what they are consenting to.
- Consent needs to be given for data to be processed for a specific purpose, and only applies to that purpose.
- An action needs to be taken to give consent. This means that it’s no longer sufficient to use pre-checked tick boxes.
There is far more emphasis on consent under GDPR. If you are going to use consent as a reason for processing data, or as a reason for profiling, you need to ensure that you have the necessary consent in place, that it’s informed consent and that you only use it in relation to the purpose for which it was provided.
Preparing for GDPR within the insurance industry
GDPR and the insurance industry is a major topic, as you can see. Any company within the sector needs to be prepared, or it could face being hit with substantial fines for non-compliance. These fines could be as high as 20 million euro, or 4% of annual turnover, whichever is higher. Realistically, it’s unlikely that massive fines will be the norm. But, this does not mean you can risk being unprepared. There are several preparations that you need to make in order to ensure that your company complies with the GDPR once it’s introduced.
- Ensure that contracts with data processing providers reflect GDPR responsibilities.
- Audit any personal data that you hold or process to ensure that it’s accurate, up to date and that you still need to retain it.
- Ensure that you are legally entitled to process personal data, and that any required consent is in place.