The General Data Protection Regulation (GDPR) is a proposed set of rules which aim to implement a stricter and more uniform data privacy regime right across the European Union. The EU institutions agreed on the scope and detail of the GDPR towards the end of 2015 and it is due to come into force on 25 May 2018. It will replace the 1995 Data Protection Directive - implemented in the UK by the Data Protection Act (DPA) - and will supersede the privacy laws of every EU state with immediate effect. How does this affect Insurance?
What are the key points of GDPR?
Whereas current data protection regulations only apply to data controllers, the GDPR will extend obligations to data processors, including requirements to:
- Carry out regular data protection impact assessments;
- Implement appropriate security standards and maintain adequate documentation; and
- Appoint a data protection officer (for public authorities or controllers and processors who process large scale and/or sensitive personal data).
Data processors can be fined if they fail to fulfil their GDPR obligations – and data controllers must ensure they implements written data processing agreements with any third parties (eg. suppliers) who process any of this data.
Consent and right to erasure
Stricter requirements to gain explicit consent from data subjects will apply to companies who wish to hold or process any personal data. Parents will need to grant consent on behalf of any data subjects who are under a certain age (each country's regulator will determine this age, in the range of 13 to 16 years' old).
As well as tightening up rules on gaining consent, the GDPR also provides greater powers to individuals to remove this consent, should they change their mind at a later date. It introduces a 'right of erasure' (otherwise known as the 'right to be forgotten') which essentially means that data controllers will need to delete any personal data if requested by the relevant individual.
Data subjects will be able to demand that any of their data held by a data controller be transferred in a "structured and commonly used and machine-readable format" - either to themselves or to a different data controller. This right is known as 'data portability' and can be invoked if, for example, an individual using a cloud based software service wishes to change their service provider (ie. without losing all their data).
The relevant data protection regulator (the ICO in the UK) must be notified of any personal data breaches "without undue delay" - and within 72 hours if possible - by the data controller, once they become aware of the breach. The only derogation from this rule is where the breach is "unlikely to result in a risk for the rights and freedoms of individuals”. Furthermore, if a data breach is likely to pose a “high risk to the rights and freedoms of individuals" the data subjects must also be notified by the data controller. Data processors, meanwhile, are required to notify the data controller of any personal data breach "without undue delay”.
Personal data and special personal data
A uniform definition of “personal data” will be applied across the EU, to include “any information relating to an identified or identifiable natural person”. Furthermore, the ambit of special personal data (more commonly known as sensitive personal data) will be extended, to encompass biometric data (eg. retinal scans and fingerprints) and genetic data. The new regulations will make it even more difficult to justify the processing of special categories of personal data - which also include "data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership” and “data concerning health or data concerning a natural person’s sex life or sexual orientation.”
Data protection officers
Public authorities and other data controllers or processors who carry out large scale systematic monitoring of individuals, or those who handle special personal data or data pertaining to criminal convictions and offences, are required to appoint a Data Protection Officer (DPO). This DPO should have professional experience and knowledge of data protection law and their tasks include:
- Monitoring data protection compliance within their company or organisation;
- Providing training and awareness of GDPR and other data protection duties to staff; and
- Being the first point of contact for data subjects and regulatory authorities (eg. the ICO).
Privacy by design and Pseudonymisation
The GDPR will introduce a requirement for data controllers to “implement appropriate technical and organisational measures" when developing products, services and procedures. This emphasis on "privacy by design" is particularly relevant to the Internet of Things (IoT) and Big Data, and takes into account cybersecurity concerns.
Pseudonymisation is one way of meeting requirements privacy design requirements. It is defined under the GDPR as "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” Technical measures such as tokenisation and hashing can be used to work towards the pseudonymisation of personal data.
How will GDPR affect insurance companies in the UK?
The GDPR is expected to come into force on 25 May 2018. As insurance companies often both control and process data, it's crucial that they are fully prepared for the new rules to come into effect. The most senior management at board level will be held accountable for any failures to implement GDPR requirements; they cannot simply delegate this accountability to more junior employees or the IT team. Ensuring that a DPO is assigned to handle GDPR will of course help to prevent any issues from arising; but the DPO should be able to report to board level directors or the "highest management level".
Fines and compensation
Currently, the maximum fine which can be imposed by the ICO is £500,000. The GDPR will drastically increase the possible level of fines, up to the greater of €20 million or 4% of total global turnover of an undertaking. Since many insurance companies have a presence in multiple countries, this threat to global turnover should propel data protection concerns to front of mind. Indeed the vast difference in the level of fines pre and post-GDPR will undoubtedly change the culture surrounding data protection matters within the insurance sector as a whole, as key members of staff at all levels will need to keep an eye on this area.
How will GDPR affect transatlantic data sharing?
The EU-US "Privacy Shield" recently replaced the invalidated "Safe Harbor" agreement as a data protection framework for American companies handling data of Europeans. Privacy Shield was designed to allow transfers of personal data from EU member states to the US, providing a set of principles which must be followed to remain compliant with EU data protection laws.
But whilst Privacy Shield is designed to uphold the existing data protection laws, the GDPR introduces new stricter data protection laws which replace the previous regime. As such, US companies will need to tighten up their practices to follow the GDPR; simply following the Privacy Shield principles will not be sufficient.
What about insurance companies which are headquartered outside the EU?
All insurance companies which do business in the EU, hold data pertaining to EU citizens or process such data, will be caught by the provisions of the GDPR. Additionally, if they use any form of online advertising which involves internet use profiling of EU citizens (in practice, this often simply means that geo-location preferences do not exclude IP addresses associated with EU countries) they can similarly face consequences under the GDPR.
What are the risks and opportunities for the insurance sector?
The high level of mergers and acquisitions in the insurance industry poses a particular challenge for insurers, as they need to either harmonise legacy systems to provide uniform data protection procedures, or else they need to train staff to manage data protection over multiple systems.
As policyholders often switch insurance providers, catering for the new data portability requirement is crucial for insurers when customers decide to take their business (and data) elsewhere. Meanwhile, they need to be careful when looking for new customers; in particular, using data controlled by third parties (eg Facebook posts) to assess individual premiums can potentially open them up to liability as data processors.
Insurers may benefit from an increased uptake of cybersecurity insurance policies, particularly by businesses dealing with large volumes of personal data. A surge has been seen in the US cyber-insurance market recently, and a similar trend may translate to the UK market with the impending spectre of GDPR and its significant fines.
Will Brexit affect the adoption of GDPR in the UK?
Negotiations are expected to take at least two years between the triggering of article 50 and the UK formally exiting the European Union. As such, the GDPR will directly apply to the UK for a good 10 months following its coming into force at the end of May 2018. Furthermore, just as with any other non-EU country, the regulations will continue to apply to British companies - even post-Brexit - unless they cease to operate in the EU.
How should insurance companies be preparing for the introduction of GDPR?
- Awareness – make sure key personnel are briefed on the main points of the GDPR relevant to their area.
- Impact assessment - carry out a comprehensive analysis of your current data protection measures. Consider any measures you will need to take to ensure compliance under the new regulations.
- Audit - review your contracts and policies and update these in advance of GDPR. Examples include: adding a clause in contracts with third party data processors asking them to notify you immediately of any data breach; and tightening up staff data protection policies to meet the new regulatory requirements.
- DPO – appoint a Data Protection Officer if necessary.
- Design – ensure that you take account of data protection principles if you are creating a new product or service, updating your IT systems or revising procedures.
- Training – make sure that staff at all levels of your organisation have sufficient awareness of how data protection issues may relate to their particular roles, and provide sufficient training to promote compliance.
- Advice - obtain external advice well in advance of 25 May 2018. Similarly, an IT consultant who understands the forthcoming rules can review your existing IT systems and make sure they meet the new requirements.