The General Data Protection Regulation (GDPR) will come into force on May 25th. In the meantime, companies in the insurance sector, like the others, must comply with its new requirements ensuring that organizations are properly managing the confidentiality of the information they have transferred or collected from European citizens. But what will change? What advice does the CNIL, a reference organization in France regarding the application of the GDPR, give to insurance organizations that even US companies can apply?
A “compliance pack” called to evolve
By May 25, 2018, the enforcement date for GDPR, the CNIL has planned to update (and propose new) its compliance packages. First affected is the insurance sector. It must be said that insurance companies collect a considerable amount of data every year, which allow them to create personalized offers, adjust tariffs, or follow the evolution of the market and consumer needs.
The insurance compliance package proposed by the CNIL must therefore be enriched soon with a GDPR side, in addition to the reminder of the standards to which these companies are subject. Still, it is possible, by studying the texts of the new General Regulations on Data Protection, to outline the contours even more.
Remember: the rights of your customers
Let’s start with a quick reminder: what are the rights granted to your customers by the GDPR? The most important are undoubtedly the following ones. These are the ones that will require a whole new approach to information governance in the insurance industry:
- The right of access to the data
- The right to be informed about the processing of the data used
- The right of rectification
- The right of opposition
- The right to portability of data, in some cases (we’ll talk about this again)
- The right to be forgotten
All of these rights, such as the right of access to data for example, are not fundamentally new; most are already registered in the Data Protection Act of 1978. Those that already existed are nevertheless strengthened, reaffirmed and harmonized at European level.
Thus, in the insurance sector, it is essential to master (and be able to communicate) the following information: the personal data recorded, their provenance, the names and roles of the persons authorized to use them, the purpose and use of the data as well as their location, and who has access to that data. Article 18 of the GDPR allows any holder, past or current, of an insurance contract the right to receive a copy of his personal data, all in a common format and easily readable.
Insurance: how to be in compliance with the GDPR?
As an insurance company, you can not take the risk of not being in compliance with the requirements of the GDPR. To comply is to avoid a commercial risk (a sanction could have unfortunate consequences in terms of images and reputation) as well as a significant financial pitfall – the fines can go up to 20 000 000 € (US $23 million plus) , or 4% of the annual global turnover (of the two, the highest amount will be retained!).
Therefore, the first step to comply with the GDPR is to appoint a DPO, for Data Protection Officer (Delegate for Data Protection). Its mission will be to ensure that the law is respected and that processes are put in place to enhance the transparency of your company. In particular, he will have to make sure that you will be able, as of next May, to:
- To group all the exchanges with the customers, whatever the points of contact used by them (mail, telephone, mail, passage in agency …) within the same document
- To demonstrate that your customers have consented to the use of their personal data
- To clarify, in the case of institutional control and at the request of customers, the use made of personal data
- To set up information governance, based on documentary traceability, storage security and responsiveness
What the CNIL recommends
The work required to get GDPR compliant must be implemented gradually. Thus, the CNIL recommends for insurance, as for other companies, to carry out 4 main operations.
- First, an organizational component, with the designation of the DPO and its hierarchical position, and the setting up of steering committees.
- Then, a site “risks and internal controls”, allowing you to take stock of the current practices and the elements to be corrected.
- It should be followed by the deployment of information governance tools (access, traceability, security, communication…).
- Finally, an awareness step, internally and externally, on the new governance of information, will have to complete the implementation of the GDPR in the insurance sector.
Compliance with GDPR is not optional for companies in the insurance industry. If you’re looking for help figuring out what you need to do, give us a call.