Although the EU General Data Protection Regulation (GDPR) was designed to harmonise data protection laws across Europe, particular industries will have to respond differently in order to achieve compliance. In a report published in June, research and consultancy firm Celent highlighted the challenges the GDPR will present to insurers.
Data processors and controllers
The GDPR, which comes into effect in May 2018, affects all data processors and controllers that handle EU residents’ personal data.
Insurers are data controllers: a person, public authority, agency or body that determines the purpose of processing personal data. An insurer can also be a data processor if it receives data from a third party that it’s not permitted to process for its own purposes.
Steps insurers should take
Celent outlines some areas that insurers should focus on when meeting the GDPR’s compliance requirements, including:
- Fair data processing: The GDPR requires organisations to appoint a data protection officer (DPO) in certain circumstances, so you must determine if you fall into any of those categories. Even if you don’t, you may opt to appoint a DPO anyway, as it will help you establish a clear policy in terms of data processing. Celent states that this policy should define the reasons for keeping data, give data subjects the right to obtain a copy of the data the insurer holds on them and allow the data to be erased.
- Consent: As with all industries, insurers need to make sure their data collection and consent processes are in line with the GDPR’s compliance requirements. Consent is one of six lawful grounds by which organisations can process data, and should only be sought if no other ground applies. Insurers in particular are advised to look for other means of data processing, because the amount of sensitive data that they handle means they will often be obliged to obtain explicit consent.
- Data security: Insurers need to review their security procedures and be prepared to adapt them in order to comply with the Regulation. Celent recommends “integrating the data security management concept into the wider risk management framework”. Insurers should also consider risk mitigation techniques (such as anonymising archived data), regularly test contingency plans, assess their security measures and investigate the effectiveness of their technological defences.
- Compliance enforcement: Given the potential fines for failing to comply with the Regulation, insurers should monitor the company’s data protection management procedures. This may involve requiring the DPO (if appointed) to report to the executive board, or the company may choose to assign a member of the board to sponsor a team of internal or external auditors.
Our GDPR green paper
For more advice on what you need to do to prepare for the GDPR, you should read our free green paper EU General Data Protection Regulation – A Compliance Guide. The guide provides an overview of the Regulation and the critical areas that organisations need to be aware of when preparing for it.