On 25 May 2018 the General Data Protection Regulation (2016/679) (the "GDPR") will come into force across the EU. This follows a two year implementation period following which the GDPR will replace the existing Data Protection Directive 95/46/EC.
The implementation of the GDPR brings significant changes to European data protection law, together with serious financial penalties for non-compliance; therefore gaining familiarity with and implementing the requirements of the new regime before the 25 May 2018 deadline is a must for all insurers and reinsurers.
The risks associated with IT and cybersecurity are a key concern for not only the Central Bank but also the Data Protection Commissioner ("DPC"), given their potential to have serious implications for the data subject. A likely consequence of the GDPR is that the DPC's interest in the insurance sector's compliance with data protection is likely to intensify.
Scope of European Union Data Protection Law
The aim of the GDPR is to harmonise data protection across the EU, and to simplify regulation through the introduction of a 'one stop shop mechanism' whereby multinational insurers and reinsurers will only have to deal with a single supervisory authority located in the Member State of their establishment. While the harmonisation is welcomed, inconsistencies are nonetheless likely to arise due to the fact that Member States are still permitted to legislate in many areas.
The GDPR also expands the territorial and material scope of EU data protection law and it will apply to both controllers and processors of data that are established in the EU, and also controllers and processors outside the EU who monitor, or offer goods and services to EU residents. The prohibition on data transfers to countries outside the EEA will remain and the GDPR now also prohibits any non-EEA court, tribunal or regulator from ordering the disclosure of personal data unless it is under an international agreement.
Compliance Burden
As the GDPR imposes some new obligations on processors and controllers, insurance and reinsurance companies will need to be aware of the additional compliance burdens they face. For data processors these include additional terms which must be included in data processing contracts and they directly imposed statutory obligations. These directly imposed statutory obligations mean data processors will be subject to direct supervision and fines by supervisory authorities. Furthermore, these obligations may result in compensation claims by data subjects.
For data controllers the GDPR requires them to demonstrate how they are compliant with the data protection principles. This involves the data controller keeping records of how it has processed data and supplying these records to supervisory authorities on request. Furthermore, under the GDPR the appointment of a data protection officer is compulsory in certain circumstances such as when a company's core activities require regular and systematic monitoring of data subjects on a large scale. Insurance and reinsurance companies will need to consider whether they will need to appoint a data protection officer, and if so, plan how best to recruit, train and resource the position.
Other measures contained within the GDPR which insurance and reinsurance companies will need to be aware of are pseudonymisation and privacy impact statements. Pseudonymisation is designed to offer data subjects another level of protection, while privacy impact assessments will be used by undertakings to identify and address non-compliance risks. In some instances where the processing of data presents a high risk to data subjects a privacy impact assessment will be compulsory.
The following is a list of some of the other key changes the GDPR brings about:
(i) Definition of Personal and Sensitive Data
The GDPR now defines personal data to include an identification number, location data and an online identifier. The new definition of sensitive personal data includes genetic data and biometric data. Another interesting change is that data concerning criminal convictions is no longer classified as sensitive data, however, it does still benefit from special protection. Insurance and reinsurance companies will need to be aware of how personal and sensitive data is defined under the GDPR, as it is likely to have an impact on how this data is used, processed and maintained in to the future.
(ii) Consent
Silence or pre-ticked boxes are no longer sufficient to constitute consent under the GDPR, some form of clear positive action will be needed and data subjects can withdraw their consent at any time. This will clearly impact policyholders and changes to customer facing websites, marketing material and documents will be needed.
(iii) Privacy Notices
The GDPR sets out specific additional information that must be provided by insurance companies to policyholders to ensure transparency. The information to be provided includes the basis for processing the data and the period of time for which the data will be retained.
(iv) Right to Rectification, Erasure, Restriction, Data Portability, Objection and Profiling
Included in the new rights given to data subjects under the GDPR is the right to data portability and the right not to be subject to a decision based on automated processing, including profiling. The GDPR is designed to give data subjects more control by giving data subjects the opportunity to object to processing which is based on the legitimate interest of the controller or a third party.
(v) Subject Access Requests
The main changes to the Subject Access Requests brought by the GDPR are; the specific additional information which must be given to data subjects (policyholders), the time period for processing a request is reduced from 40 days to 1 month, and a request can only be refused where it is "manifestly unfounded or excessive, in particular because of its repetitive character".
What is clear from the above is that the insurance industry is faced with a host of new responsibilities and administrative burdens as a result of the GDPR. Therefore, members of the insurance industry should begin their preparations for the GDPR early in 2017.