The General Data Protection Regulation (GDPR) became active on May 25 2018. This short article will look into how GDPR impacts the Insurance Industry. Specialised consideration of the new Regulation is vital due to the fact that non-compliance with GDPR rules may result in the sanctioning of heavy financial penalties.
It crucial to remember that the GDPR will apply to insurance firms all over the globe and not only those which are based in member states of the European Union. If your business , in the course of its operations, handles the personal data of European citizens then it must not be violating GDPR in any way. What this means is that you must make sure that all of your preparations have been completed.
GDPR Data Processors’ Responsibilities
In the context of GDPR and the insurance sector, one of the most major developments is that the obligation of policing compliance will now be divided between data controllers and data processors. Until now, the responsibility of seeing to it that the security of any processing of the data under their control was held by data controllers. Data subjects can now initiate a legal action against both data processors and data controllers if issues regarding the processing of their data occur.
Specialised consideration of the new Regulation is essential given that non-compliance with GDPR rules may lead to the imposition of heavy fines among a number of other sanctions.
It is essential to note is that the GDPR will apply to insurance companies all around the world and not only those which are based in member states of the European Union. Should your company, in the course of its operations, process the personal data of European citizens then it must be GDPR compliant. What this means is that you must ensure that all of your preparations have been completed prior to the activation of the GDPR.
Data Processors’ Responsibilities under GDPR
In the context of GDPR and the insurance industry, one of the most significant developments is that the burden of ensuring compliance will now be divided between data controllers and data processors. Until now, the responsibility of ensuring the security of any processing of the data under their control was borne by data controllers. Data subjects can now take action against both data processors and data controllers if issues regarding the processing of their data arise.
As the majority of insurance providers are data controllers, which are dependant on 3rd party processing, the new rules under the GDPR might in fact be better for them. Be that as it may, it is crucial that all contracts between insurance companies and data processors take into account the obligation that all parties be GDPR compliant.
Insurance Industry Profiling under the GDPR
Another domain where GDPR will cause a lot of change in the insurance sector is that of profiling. Profiling is often used in the insurance industry as a means of undertaking actions like setting premiums, uncovering possible fraud and devising marketing campaigns.
The GDPR allows for a new definition of ‘profiling’. Profiling is defined as any automated decision making process, in particular the review and prediction of work performance, economic category, health status, personal interests and preferences, dependability and behaviour, location and movement. This obviously includes most of the purposes for which profiling is used by the insurance sector.
Article 30 of the GDPR introduces a new right which states that nobody should be subject to an entirely automated decision except on occasions when; such a decision is deemed necessary as part of an agreement between the data subject and the data controller, the decision is legally necessary, or categorical consent has been provided by the data subject.
It is significant that this right is applicable only when the whole decision is made using an automated process, and no human intervention whatsoever takes place.
Issues with Signing Contracts
If you are thinking about the GDPR and the impact it is likely to have upon the insurance sector , it might seem as if the situation in relation to the use of profiling should be relatively straightforward. Surely it is not actually possible to display that that automated decision making is a requirement for the completion of a contract? However, what about instances in which where there is a 3rd party to the contract, e.g. a named driver on a car insurance policy or if a policy covers numerous staff members in a company? In instances like this, it is impossible to make a contract between the third parties and the data controller. Therefore, there must be either specific consent or legal justifications for the profiling to take place. It is probable that consent of all of the parties included in the policy would be necessary, and hence comprised in any automated decision making process.
Amendments to the Rules on Consent to Use Personal Data
It is wise to review the ways in which the concept of consent has been transformed under the GDPR. Here are some things to think about when your business is trying to ensure that its approach to consent is GDPR compliant:
- All consent must be 100% informed. Data subjects have to be made fully aware of what they are giving their authorization for.
- The exact for which consent is necessary must be clearly outlined, and such consent is applicable only for the use of data for that specific aim.
- It is no longer enough to obtain consent using pre-checked tick boxes. The data subject needs to complete an “action” needs in order to give their consent.
Much more importance is placed on consent under the GDPR. If you plan to depend on consent as your justification for processing data you must be satisfied that the requisite consent is in place, that the data subject was 100% informed before they gave their consent and that the data will be used only for the purpose for which consent has been granted.
GDPR Insurance Industry Preparation
Insurance firms need to be ready for the introduction of GDPR if they are hoping to avoid being hit with significant fines for non-compliance. Fines could be as up to €20m or 4% of the company’s annual global turnover for the previous financial year if that figure is greater. In practice, it is unlikely that huge fines will prove to be commonplace. That does not, however, mean that your can take the risk of being complacent. Several key preparations need to complete to make sure that a company will be GDPR compliant:
- Ensure that all contracts with data processing providers incorporate GDPR obligations.
- Review all personal data held or processed by your business to prove that it is accurate, current and that it is still required to retain it.
- Ensure that you have the legal right to handle personal data, and that all necessary consent is in place.