By the nature of its business, the insurance sector collects and has access to a large amount of personal data. (Re)insurers and their service providers (including third party administrators) routinely hold and process significant amounts of data relating to their insureds.
To read the PDF version of this factsheet, please click here.
The complex global nature of the industry and high level of personal data processed and exchanged, often across national borders, can leave information vulnerable to security breaches, intentional or otherwise. Many insurance products require personal data to be processed whether in connection with the underwriting process or at the time that a claim is made. This is particularly the case in personal lines business such as travel and home insurance.
Implementing effective data protection controls into daily operating procedures is a huge challenge. When the EU General Data Protection Regulation and UK’s Data Protection Act 2018 come into force on 25 May 2018, however, businesses ignore it at their peril, as non-compliance can result in large fines (up to €20,000,000 or 4% of annual turnover) and reputational damage. There are also commercial benefits to effective compliance: companies which protect the privacy of their (re) insureds and business associates are more likely to attract and retain business and staff.
The GDPR will apply not only to businesses based in the EEA but also to data processing carried out by companies outside the EEA if they have an office within the EEA or offer goods or services in the EEA to individuals based there.
We set out below some of the issues you need to consider and how you can action them and demonstrate compliance.
What personal data do you hold, where and why?
The insurance sector holds a considerable amount of information on its (re)insureds and its prospective clients (where personal data is received to enable the (re)insurer to quote). To manage this, insurers should:
> Update outdated personal data or delete it if it is no longer needed.
> Identify sensitive personal data (for example, in accident and health cover, medical information) which has an additional layer of protection. It was envisaged initially that an individual’s consent would be required for processing this information other than in life or death situations.
Under a concession introduced into the Data Protection Bill in February 2018, however, the UK Government has agreed to allow processing of some sensitive data “if the processing is necessary for an insurance purpose”.
An insurance purpose includes advising, arranging underwriting, administering a claim under, exercising a right or complying with an obligation under, an insurance or reinsurance contract.
> Consider what data is held in relation to its employees and whether this may also include sensitive personal data.
> Review the use of “profiling”. The GDPR makes it clear that a person cannot be subject to a decision made purely on the grounds of profiling. It is important to note, however, that this requirement does not apply to the formation of contracts so traditional underwriting methods are likely to remain a permissible activity. However, from a commercial standpoint, the use of profiling to target certain people with marketing will fall within the GDPR rules and therefore insurers will need to obtain explicit consent from a data subject in order to do this going forward.
What is your lawful reason for processing personal data and how do you record that?
> If you currently rely on consent for processing personal data, ensure this is documented properly. Historic consent will not be “grandfathered” into the new regime. If consent that was previously obtained from a data subject is not GDPR compliant, then it must be re-obtained.
> Check whether there are other grounds that you can rely on instead e.g. is the processing necessary for the performance of a contract with the individual or for a legitimate business reason (both of which might apply to insureds’ information in the insurance sector) and record the reason relied on.
> Check that each individual on any marketing database has consented to receive electronic marketing, or that they were given the opportunity to opt out from such marketing when their contact details were first collected.
Is your Privacy Notice GDPR ready?
> Add a privacy policy to your website and emails (or update it if you already have one) to make clear how you use personal data collected (for example through online questionnaires or platforms that are used to collate placing information).
> If you collect information on individuals from third parties (such as brokers or aggregators) ensure that the individuals are aware that you are processing their data and consider amending contracts with third parties to ensure that this is done.
Who do you share personal data with, why and what controls do you have in place to protect that data?
> Many (re)insurers share information with service providers or other third party administrators (e.g. outsourced claims functions). Consider which are acting as data processors and which are acting as controllers or joint controllers. For example, an insurer using a reinsurer without first checking their data control processes could be liable for any breach by the reinsurer, as the data subject has the right to bring a claim against the data controller or data processor.
> Make sure that your contracts with other parties such as underwriting agents or outsourced service providers who might be data controllers or processors are clear about their responsibilities under the GDPR.
> Consider asking third parties to complete an audit questionnaire to confirm that they are aware of, and compliant with, their responsibilities under the GDPR, including their duty to report data breaches and to notify changes to their data processing systems.
> If you transfer data within the EEA, you will need to appoint a Lead Supervisory Authority (LSA). Check for any country-specific guidance published by the LSA or any secondary legislation enacted in that jurisdiction and seek assistance from the LSA on any areas of ambiguity.
> If you transfer data outside the EEA, you will need to consider whether any exemptions for transfers of personal data outside the EEA apply. If not, assess whether the requirements for transfer are met. In the case of multinational companies, consider adopting Binding Corporate Rules.
How do you deal with and report data protection breaches?
> Ensure that systems are in place to notify a personal data breach to the relevant supervisory authority within 72 hours after becoming aware of a personal data security breach and to notify the data subject without undue delay in prescribed circumstances. Therefore, it is essential for (re)insurers to review their current policies and procedures so that breaches can be detected and managed properly as soon as possible.
> Create and maintain a register of data breaches including details of how the breach occurred and what steps were taken to resolve it.
> Consider taking out a cyber and data risks insurance as an extra layer of protection.
Do you need a Data Protection Officer?
> Designate someone to take responsibility for data protection compliance.
> Assess whether you are required to appoint a Data Protection Officer, or whether you wish to appoint one voluntarily?
What processes do you have in place to deal with improved rights for individuals?
> Currently, a subject access request (SAR) carries a fee and companies must respond within 40 days. Under the GDPR, SARs are free and a response is required ‘without delay’ and in any event, within less than one month.
> Ensure that those dealing with personal data know how to deal with the new rights including how to delete data if requested and how to provide data electronically.
> From a commercial standpoint, the financial and administrative resources required to handle these requests will increase, especially when one considers that the scope of information a data subject can request access to now includes:
• records of any transfers of their personal data outside the EEA;
• the insurers’ safeguards;
• the proposed period of storage; or
• contact details of the DPO.
> Data controllers must delete personal data on request if it falls within any of the specified grounds, which include where the personal data is no longer necessary for the original purpose for which it was collected/processed, or simply if a data subject revokes their consent for its use and no legal ground for continuing to process it remains.
> The data controller can only prevent the erasure where they can show a compelling legitimate ground/interest in the data, it is necessary to comply with legal or regulatory obligations, or to establish, exercise or defend legal claims.