HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Insurance Industry compliance with GDPR

The General Data Protection Regulation (GDPR) is due to come into force on the 25th of May 2018. This short article is focused on the GDPR in the particular context of the Insurance Industry. Specialised consideration of the new Regulation is essential given that non-compliance with GDPR rules may lead to the imposition of heavy fines among a number of other sanctions.

It is essential to note is that the GDPR will apply to insurance companies all around the world and not only those which are based in member states of the European Union. Should your company, in the course of its operations, process the personal data of European citizens then it must be GDPR compliant. What this means is that you must ensure that all of your preparations have been completed prior to the activation of the GDPR.

Data processors’ responsibilities under GDPR

In the context of GDPR and the insurance industry, one of the most significant developments is that the burden of ensuring compliance will now be divided between data controllers and data processors. Until now, the responsibility of ensuring the security of any processing of the data under their control was borne by data controllers. Data subjects can now take action against both data processors and data controllers if issues regarding the processing of their data arise.

As the majority of insurance providers are data controllers, which are dependant on 3rd party processing, the new rules under the GDPR might in fact be better for them. Be that as it may, it is crucial that all contracts between insurance companies and data processors take into account the obligation that all parties be GDPR compliant.

Insurance industry profiling under the GDPR

Another domain where GDPR will undoubtedly have a major impact on the insurance industry is that of profiling. Profiling is often used in the insurance industry as a means of undertaking actions like setting premiums, uncovering possible fraud and planning marketing campaigns.

The GDPR introduces a new definition of ‘profiling’. Profiling is defined as any automated decision making process, in particular the analysis and prediction of work performance, economic category, health status, personal interests and preferences, dependability and behaviour, location and movement. Clearly, this covers the majority of purposes for which profiling is used by the insurance industry.

Article 30 of the GDPR introduces a new right which declares that nobody should be subject to an entirely automated decision except in circumstances where; such a decision is deemed necessary as part of an agreement between the data subject and the data controller, the decision is legally required, or categorical consent has been furnished by the data subject.

It is noteworthy that this right is applicable only when the whole decision is made using an automated process, and no human intervention whatsoever is involved.

Problems involved in making contracts

If you are considering the GDPR and the impact it is likely to have upon the insurance industry, it might seem as if the situation surrounding the use of profiling should be relatively straightforward. Surely it isn’t actually possible to demonstrate that automated decision making is a requirement for the completion of a contract? However, what about circumstances in which where there is a 3rd party to the contract, e.g. a named driver on a car insurance policy or if a policy covers numerous staff members of a business? In scenarios like this, it is impossible to make a contract between the third parties and the data controller. Therefore, there must be either the presence of specific consent or legal justifications for the profiling. It is probable that consent of all of the parties included in the policy would be required, and hence comprised in any automated decision making process.

Changes to the rules on consent to use personal data

It is advisable to analyse the ways in which the concept of consent has been transformed under the GDPR. Here are some things to consider when your business is trying to ensure that its approach to consent is GDPR compliant:

  • All consent must be fully informed. Data subjects have to be made fully aware of what they are giving their consent to.
  • The precise purpose for which consent is sought must be clearly defined, and such consent is applicable only for the use of data for that specific purpose.
  • It is no longer satisfactory to obtain consent using pre-checked tick boxes. The data subject needs to make an “action” needs in order to give their consent.

Much greater weight is given to the importance of consent under the GDPR. If you plan to rely on consent as your justification for processing data you must be satisfied that the requisite consent is in place, that the data subject was fully informed before they gave their consent and that the data will be used only for the purpose for which consent has been granted.

Insurance industry preparation for GDPR

Insurance companies need to be prepared for the introduction of GDPR if they wish to avoid being hit with significant fines for non-compliance. Fines could be as large as €20,000,000, or 4% of the company’s annual turnover if that figure is greater. In practice, it is improbable that huge fines will prove to be commonplace. That does not, however, mean that your can take the risk of being complacent. Several essential preparations need to made to ensure that a company will be GDPR compliant:

  • Make sure that all contracts with data processing providers incorporate GDPR requirements.
  • Audit all personal data held or processed by your company to confirm that it is accurate, current and that it is still necessary to retain it.
  • Make sure that you have the legal right to process personal data, and that all necessary consent has been sought and granted.