The General Data Protection Regulation (GDPR) became enforceable on May 25 2018 and brought with it a number of rules that could, if broken, may result in the sanctioning of heavy fines.
One sector where GDPR has had a huge impact is insurance industry, particularly in relation to profiling. Profiling is often implemented in the insurance sector in order to establish premiums, uncovering potential fraud and strategizing marketing campaigns.
GDPR created a new definition of ‘profiling’ which refers to it as any automated decision making process, such as the analysis and prediction of work performance, economic category, health status, personal interests and preferences, dependability and behaviour, location and movement. This takes into account most of the tasks that profiling is implemented for in the insurance sector.
Article 30 of the GDPR established a new right which states that no person can be subject to a completely automated decision except in instances where; such a decision is deemed a required as part of an agreement between the data subject and the data controller, the decision is a legal requirement, or categorical consent has been provided by the data subject.
It is important to recognise that this right is applicable only when the whole decision is made via an automated process, and no human intervention whatsoever takes place.
If you are reviewing your GDPR obligations and the impact it is have on the insurance sector, it might seem as though the situation surrounding the use of profiling should be relatively simple. However, what about times when there is a 3rd party to the contract, e.g. a named driver on a car insurance policy or if a policy covers a number of staff members of a business? On occasions like this, it is impossible to establish a contract between the third parties and the data controller. Therefore, there must be either the presence of specific consent or legal reasoning for the profiling. It is likely that consent of all of the parties incorporated in the policy would be required, and hence comprised in any automated decision making procedure.
Amendments to the Rules on Consent to use Personal Data
It is important to review the ways in which the concept of consent has been changed due to the introduction of GDPR. Here are some things to think about when your company is attempting to ensure that its strategy for obtaining consent is GDPR compliant:
- All consent must be fully informed. Data subjects have to be made completely aware of what they are providing their consent for.
- The specific reason for which consent is necessary should be clearly defined, and such consent is applicable only for the use of data for that specific reason.
- It is no longer legally acceptable to obtain consent using pre-checked tick boxes. The data subject requires an “action” to be completed in order for consent to be received.
Much more importance is attached to consent under GDPR. If you plan to depend on consent as your justification for processing data you must be happy that the requisite consent been provided, that the data subject was fully informed before they provided their consent and that the data will be used only for the purpose for which consent has been handed over.
Insurance Sector GDPR Compliance
Insurance agencies need to be ready for the introduction of GDPR if they are aiming to prevent the sanctioning of large fines for non-compliance. GDPR fines could be as high as €20m or 4% of the company’s annual revenue for the previous financial year.