As the General Data Protection Regulation (GDPR) will be directly applicable from May 2018, preparations are currently underway in advance of the most significant overhaul on data protection within the EU in over 20 years. The GDPR paves the way for greater data protection harmonisation throughout the EU. Major changes and reforms will be introduced to enhance the free movement of data within the EU and also to address privacy risks.

As the GDPR is a European regulation no Irish transposition measures are required before it becomes law in May 2018. With just over a year to prepare, boards of (re)insurers should be using the time to ensure that they will be fully compliant by then. The following are some key points for the Insurance Sector to be aware of:

  1. Consent: while consent is only one possible means of legitimising the processing of personal data, there are significant changes to the nature of consent to be obtained. It will be mandatory for consent to be freely given, specific, informed and unambiguous for non-sensitive personal data and explicit consent will continue to be required for the processing of sensitive data. Silence, pre-ticked boxes or inactivity will not constitute consent. The validity of consent will expire once the purpose for which it was sought ceases.

  2. Lead Authority Mechanism: organisations with operations in more than one Member State will be principally regulated by the Data Protection Authority in the Member State where they have their "main establishment", meaning that (re)insurance companies and intermediaries will generally only have to deal with one supervisory authority.

  3. Extra-Territorial Scope: in addition to organisations established in the EU, any organisation that offers goods or services in the EU or is involved in monitoring the behaviour of EU residents (i.e. profiling) will also be deemed to be "established" within the EU for the purposes of the scope of the GDPR.

  4. Data Protection Officer: it will be mandatory for organisations to have a data protection officer (DPO) in certain circumstances including where: - core activities of the controller or processor involve regular monitoring of data subjects on a large scale; or - the controller or processor handles a large scale of a special categories of data and data relating to criminal convictions and offences SMEs (likely to include most intermediaries) are exempt from this obligation to appoint a DPO, unless data processing is core to their business.

  5. Extension of Liability: responsibility for privacy breaches extends to data processors so both the data controller and data processor will be jointly liable for any damages on a statutory basis.

  6. Right to be Forgotten/Right of Erasure: under the GDPR the "Right to be Forgotten" will be known as the "Right of Erasure" and any existing case law under the Right to be Forgotten will still be relevant. This right gives individuals the right to request the deletion of data relating to them which is inaccurate, irrelevant or outdated, subject to some exceptions.

  7. Data Portability: organisations must be able to export data in a structured, commonly used and machine readable form upon request to data subjects or to another insurance provider. Organisations will need to implement systems to ensure that data can be easily exported in structured, machine-readable formats.

  8. Increased Fines: organisations breaching the new rules could face penalties of up to 4% of global turnover or €20,000,000 (whichever is higher).

Following the focus of the Office of the Data Protection Commissioner (ODPC) on telematics technology within the insurance industry last year, it is likely that telematics will face further scrutiny with the implementation of the GDPR in light of the new right in relation to automated decision-making. Under the GDPR, a data subject has a right not to be subject to a decision based solely on profiling where that decision produces legal effects or similarly significant effects.

Preparations for the new data protection regime are also underway at the ODPC. The ODPC is a much stronger resource following a very substantial increase in its annual budget over the last few years, a significant expansion of the team and new offices ahead of the implementation of the GDPR ensuring that it will be able to enforce the new data protection regime from May 2018.