The EU General Data Protection Regulation (GDPR) is designed to harmonise data protection laws across the EU, but certain industries will have to respond differently in order to achieve compliance. A report published by research and consultancy company Celent highlights the challenges that the GDPR presents to insurers.
All organisations that offer good and services to, or monitor the behaviour of EU residents are subject to the GDPR.
Insurers are data controllers: a person, public authority, agency or body that determines the purpose of processing personal data. An insurer can also be a data processor if it receives data from a third party that it is not permitted to process for its own purposes.
Steps insurers should take to become GDPR compliant
Celent outlines some areas that insurers should focus on when meeting the GDPR’s compliance requirements, including:
- Fair data processing: The GDPR requires organisations to appoint a data protection officer (DPO) in certain circumstances, so you must determine if you fall into any of those categories. Even if you don’t, you may opt to appoint a DPO anyway, as it will help you establish a clear policy in terms of data processing. Celent states that this policy should define the reasons for keeping data, give data subjects the right to obtain a copy of the data the insurer holds on them and allow the data to be erased.
- Consent: As with all industries, insurers need to make sure their data collection and consent processes are in line with the GDPR’s compliance requirements. Consent is one of six lawful grounds organisations can use to process data, but we recommend it should only be sought if no other ground applies. Insurers in particular process a large volume of sensitive data, so they will often be obliged to obtain explicit consent for data relating to health, for example.
- Data security: Insurers need to review their security procedures and be prepared to adapt them in order to comply with the Regulation. Celent recommends “integrating the data security management concept into the wider risk management framework”. Insurers should also consider risk mitigation techniques (such as anonymising archived data), regularly test contingency plans, assess their security measures and investigate the effectiveness of their technological defences.
- Compliance enforcement: Given the potential fines and reputational damage for failing to comply with the GDPR, insurers should monitor their data protection management procedures. This may involve requiring the DPO (if appointed) to report to the executive board, or the insurer may choose to assign a member of the board to sponsor a team of internal or external auditors.
Become GDPR compliant
If your organisation is not yet compliant with the GDPR, it is important that you start your implementation project now.
This EU GDPR Compliance Gap Assessment Tool has been created to help companies kick-start their compliance project by assessing their current stance against the GDPR, helping them clearly establish areas for development, and plan and prioritise their project effectively.