The General Data Protection Regulation (GDPR) is enforceable as of 25 May, 2018 and supersedes the European Union (EU) Data Protection Directive adopted in 1995. Put simply, it gives individuals more transparency on how their data is used and forces firms to take greater care when handling personal data.
The Regulation has been introduced to increase the control individuals have over their personal data and to provide a single, EU-wide regulation to make it easier for firms to comply and regulators to enforce. It's been a work-in-progress for 6 years: the original proposal was issued in 2012, the Regulation was ratified in 2016, and there has been a two-year transition period leading up to May of this year.
Some Context on GDPR and the Insurance Industry
Before we get into the details, there’s three important points worth noting:
Firstly, GDPR builds on the original Data Protection Directive; so, if you comply to those requirements, it’s much easier for you to comply with GDPR. Even if you’re new to the European market, the processes you have implemented to meet state or country specific data protection requirements will take you a long way towards meeting GDPR.
Secondly, rather than considering GDPR as a burden, forward thinking firms will think of it as an opportunity to improve their approach to data protection and cybersecurity. Individuals are becoming savvier about their rights, regulators are becoming more punitive, and data breaches are becoming more commonplace as their consequences become more devastating.
Consider for example:
- Hackers stole the credit and debit card details for 5 million consumers from upmarket New York retailer, Saks Fifth Avenue.
- A vulnerability on the website belonging to credit agency Equifax, meant the personal data of as many as 140 million of their US, UK, and Canadian customers was easily accessible.
And it’s not just large businesses that are feeling the heat - nearly 900,000 UK SMEs suffered a cybersecurity breach in the last 12 months, too.
Thirdly, there are broader benefits to be enjoyed by thinking long term and putting data management and protection at the heart of your business. For example, better operational transparency; more organized, clearly defined policies and procedures; better business controls and more favorable cyber insurance policies.
Main Considerations for Distributors
The published Regulation runs to 260 pages, so in this article we’ve summarized the main changes as they apply to distributors. We’ve used the term ‘Regulator’ as a general term for the supervising authorities who will vary by country.
Scope of Personal Data
Personal data means any information that can identify an individual, and GDPR extends the scope to include identification numbers and online identifiers. Since most insurance distributors gather and store data digitally, it means IP and email addresses, and any other system identifiers are now in scope and your tech team have an important role in making sure they are managed in a GDPR-compliant way.
There are also tighter controls for the use of sensitive data such as health, biometric, race or sexual orientation. This means, for example, where data is needed for the purposes of underwriting health insurance, explicit consent for that purpose must be given by the individual, and any other reasons for its use (e.g. for marketing profile) must be made clear and separate consent for those given, too.
More generally, since the purpose of the Regulation is to enforce a stringent use of personal data, distributors must work with their partners to make sure they protect any exchange of personal data throughout the entire engagement with the customer.
GDPR applies to all organizations based in the EU that collect, store, or process personal data from EU residents, regardless of whether or not they are EU citizens — and if they’re citizens — regardless of where they reside. Significantly, it also applies to organizations based outside the EU who offer goods or services to EU residents or who collect data from EU residents visiting their website, which rules in most organizations.
For distributors, this might not be as bad as it sounds where GDPR and the insurance industry converge outside of Europe. Since the regulations for selling insurance in EU member states are rigorous and you should already be applying good data protection practices, it doesn't need to make a big different. Of course, for those that don’t, this could be a big challenge.
Another consideration for large firms based outside the EU is the need to appoint a representative to act on their behalf when dealing with the Regulators in each country.
Even if businesses aren't targeting Europe directly, the nature of the global economy means they will be working with those who are and compliance will become an issue at some point.
Why You Need to Process Personal Data
GDPR doesn’t change the requirement to have a valid lawful basis for processing personal data, but the definition of the lawful bases has tightened a little, and the rule for one of those — obtaining consent – is now different.
You must now demonstrate, unambiguously, that the individual has given their consent for use of their personal data. The use of pre-ticked forms or an assumption that the individual has automatically granted consent by reading a privacy notice is no longer allowed.
Also changed are the requirements surrounding privacy notices.
They need to be written in plain, easily understandable language and be clearly visible, not buried among detailed terms and conditions. They also need to give a detailed explanation of what the personal data will used for, the retention period for data, and the rights individuals have regarding their data (more on this point below.)
All of these changes have a potentially big impact on distributors. Staff must be trained in the new consent rules and all offline and online privacy notices will have to be updated. Additionally, if personal data is received from a third party — a broker/agent receiving data from an insurer, for example — consideration must be given as to how the broker/agent will provide their privacy notice to the individual, when they don’t own the direct relationship. A shared privacy notice that meets the needs of both parties is the most logical approach.
Using Service Providers
Service providers who process personal data on behalf of distributors must now comply with GDPR, regardless of their location, if they process data relating to EU citizens. This is a positive move since, under DPD, the compliance burden lies with the distributor only.
In the era of cloud computing, many distributors use outsourced service providers and platforms for the storage and management of data, which now means this relationship is under scrutiny.
Although service providers are liable for any data breaches and can be fined by the Regulator, distributors share some of the responsibility. For this reason, your third-party service contracts should be watertight and performance against them regularly monitored.
Meeting the Rights of Individuals
GDPR gives individuals the right to access data held about them, have it corrected, or restrict its use. However, the deadline for complying with these requests is now 30 days rather than the 40 allowed by DPD.
There are two new requirements introduced — one significant for distributors, the other less so.
Individuals can now ask for their personal data to be erased. There are certain cases where the firm doesn’t need to comply with this right to be forgotten, for example if they need to keep the data to comply with other legal obligations, otherwise it must be deleted within 30 days.
Also new to GDPR is the right to data portability.
This is another way in which the Regulation gives more control to individuals by letting them move or copy their personal data from one organization to another, quickly and securely, making it easier to switch to supplier.
Data needs to be provided in an open format, typically CSV, within 30 days.
Accountability and Governance
“Accountability” is new to GDPR, but simply means you should be able to demonstrate compliance with the GDPR principles and have appropriate Governance arrangements in place to oversee continued compliance.
The Regulator will look for evidence of:
- Organizational measures such as data protection policies & procedures, staff training, and internal audits
- Appointment of a Data Protection Officer (DPO) if appropriate (although this is only mandated for large firms)
- Consent and the lawful basis for processing
- Data protection matters being considered during the creation or change of business processes, and supporting tech (this is referred to as data protection by design and default.)
This should be standard good practice for distributors since it’s the basis for any regulatory compliance, but it would be sensible to review current arrangements and make sure there are no gaps.
Reporting Data Breaches
A breach occurs when an incident affects the confidentiality, integrity, or availability of personal data. This includes unauthorized access, data sent to the wrong person, lost or stolen laptops, or unplanned system downtime.
It’s mandatory to report a breach if it’s likely to result in a risk to an individual’s rights and freedoms, and the individual should be told if it’s likely to result in a high risk to their rights and freedoms. There’s no firm advice on risk versus high risk, and it’s left to your interpretation of incident severity and impact.
Breaches must be reported within 72 hours, and there’s a potential fine of up to 10 million euros or 2 percent of the company’s global turnover if the deadline isn’t met. So, it’s worth sharpening up your breach detection and reporting protocol.
The Bigger Regulatory Picture
It won’t come as a surprise to find out that GDPR isn’t the end of the regulatory journey.
Like the original DPD, individual countries will introduce their own regulations to address country-specific requirements not covered in GDPR, although the EU has been quite firm in limiting the number of those.
As an example, the Data Protection Bill, the replacement to the Data Protection Act 1998, started its journey through the UK parliament in September of last year.
In the US, data protection regulations aren’t as wide or as integrated as those in the EU — there are federal laws which protect children's data and a patchwork of state or industry sector regulations — but that’s about to change.
The Data Security and Breach Notification Act entered the US Senate in November. It has a long way to go before becoming law, but the current draft is similar to GDPR and contains a proposed maximum five-year prison sentence for intentionally hiding a personal data breach – something that will get everyone’s attention.
Although not data protection specific, the EU Insurance Distribution Directive is now planned to take effect in October, having been delayed from February, meaning there are two sizeable pieces of regulatory work that distributors need to worry about this year, and there will doubtless be more to follow.
The Takeaway – Immediate Actions
It’s worth taking the time to get GDPR right: the maximum fine for failing to comply with the main conditions is 20 million euros or 4% of group worldwide turnover, whichever is greater.
Having the correct processes, documentation and system changes ready before the 25th May, 2018 is no small ask, but here’s a simple checklist to help.
- Appoint a DPO, at least for 6 months, to give a sharp focus on compliance activities. That person should oversee the rest of these steps.
- Perform a data audit. You need to understand what you’ve got, why you need it, and how long you need it for. Data that isn’t needed should be securely removed. Going forward, don’t collect data that you don’t need.
- To be successful, GDPR compliance must be embedded across the organization. Finance, HR, operations, tech, marketing – all have a role to play. Ensure there is regular firm-wide training and communication.
- Update privacy notices and the tools used for getting and storing consent.
- Update policies and procedures. This includes those needed for breach reporting and meeting requests from individuals.
- There’s no fundamental change to security requirements introduced by GDPR, but you should make sure there is a robust approach to cybersecurity across the firm.
- If you use service providers, especially if they are outside the EU, update contracts to make sure they enforce GDPR compliance (as force.com built solution providers do).
For GDPR and the insurance industry, compliance should be seen as a journey, not a destination. Time invested now will put you ahead of many others and leave you in a great position for delivering on your ambitious growth plan.