GDPR and insurance companies: what will change?

The General Data Protection Regulation (GDPR) will come into force on May 25th. In the meantime, companies in the insurance sector, like the others, must comply with its new requirements ensuring that organizations are properly managing the confidentiality of the information they have transferred or collected from European citizens. But what will change? What advice does the CNIL, a reference organization in France regarding the application of the GDPR, give to insurance organizations that even US companies can apply?

A “compliance pack” called to evolve

By May 25, 2018, the enforcement date for GDPR, the CNIL has planned to update (and propose new) its compliance packages. First affected is the insurance sector. It must be said that insurance companies collect a considerable amount of data every year, which allow them to create personalized offers, adjust tariffs, or follow the evolution of the market and consumer needs.

The insurance compliance package proposed by the CNIL must therefore be enriched soon with a GDPR side, in addition to the reminder of the standards to which these companies are subject. Still, it is possible, by studying the texts of the new General Regulations on Data Protection, to outline the contours even more.

Remember: the rights of your customers

Let’s start with a quick reminder: what are the rights granted to your customers by the GDPR? The most important are undoubtedly the following ones. These are the ones that will require a whole new approach to information governance in the insurance industry:

  • The right of access to the data
  • The right to be informed about the processing of the data used
  • The right of rectification
  • The right of opposition
  • The right to portability of data, in some cases (we’ll talk about this again)
  • The right to be forgotten

All of these rights, such as the right of access to data for example, are not fundamentally new; most are already registered in the Data Protection Act of 1978. Those that already existed are nevertheless strengthened, reaffirmed and harmonized at European level.

Thus, in the insurance sector, it is essential to master (and be able to communicate) the following information: the personal data recorded, their provenance, the names and roles of the persons authorized to use them, the purpose and use of the data as well as their location, and who has access to that data. Article 18 of the GDPR allows any holder, past or current, of an insurance contract the right to receive a copy of his personal data, all in a common format and easily readable.

Insurance: how to be in compliance with the GDPR?

As an insurance company, you can not take the risk of not being in compliance with the requirements of the GDPR. To comply is to avoid a commercial risk (a sanction could have unfortunate consequences in terms of images and reputation) as well as a significant financial pitfall – the fines can go up to 20 000 000 € (US $23 million plus) , or 4% of the annual global turnover (of the two, the highest amount will be retained!).

Therefore, the first step to comply with the GDPR is to appoint a DPO, for Data Protection Officer (Delegate for Data Protection). Its mission will be to ensure that the law is respected and that processes are put in place to enhance the transparency of your company. In particular, he will have to make sure that you will be able, as of next May, to:

  • To group all the exchanges with the customers, whatever the points of contact used by them (mail, telephone, mail, passage in agency …) within the same document
  • To demonstrate that your customers have consented to the use of their personal data
  • To clarify, in the case of institutional control and at the request of customers, the use made of personal data
  • To set up information governance, based on documentary traceability, storage security and responsiveness

What the CNIL recommends

The work required to get GDPR compliant must be implemented gradually. Thus, the CNIL recommends for insurance, as for other companies, to carry out 4 main operations.

  1. First, an organizational component, with the designation of the DPO and its hierarchical position, and the setting up of steering committees.
  2. Then, a site “risks and internal controls”, allowing you to take stock of the current practices and the elements to be corrected.
  3. It should be followed by the deployment of information governance tools (access, traceability, security, communication…).
  4. Finally, an awareness step, internally and externally, on the new governance of information, will have to complete the implementation of the GDPR in the insurance sector.

Compliance with GDPR is not optional for companies in the insurance industry. If you’re looking for help figuring out what you need to do, give us a call.


Who are the Data Controllers and Data Processors in GDPR?

In my last Blog, I talked about the definition of Personal Data and the various data protection actions that Data Controllers and Data Processors made apply to this Personal Data (Anonymize, Pseudonymize and Minimize).

But who are these Data Controllers and Data Processors?

These are the parties that capture, process and store Personal Data belonging to Data Subjects. Under the GDPR Regulation, these parties have obligations to protect the Personal Data of these Data Subjects.

Data Controllers/Data Processors

Data Controllers

This is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law”;

In plain English, this is the party (individual, entity or authority) with which the Data Subject exchanges his or her Personal Data to receive the goods and services.

The GDPR Regulation imposes a range of data protection obligations on the Data Controller, including:

  • Restrict the scope of data that can be collected and the duration of retention of this data
  • Seek and obtain the consent of the Data Subject BEFORE the Personal Data is captured
  • Once received, protect this data
  • Notify data controllers if/when a data breach occurs
  • Appoint a Data Protection Officer or DPO (under certain conditions) – covered in a future blog

Data Processors

Similarly, the Data Processor is “the natural or legal person, public authority, agency or other body which pro-cesses personal data on behalf of the controller.”

This is the party that performs part or all of the processes on behalf of the Data Controller. One of the game changers with GDPR is that Data Processors also have obligations under that regulation and that these obligations also apply even to Data Processors located outside EU jurisdictions, example a US-based cloud provider performing data processes on behalf of an EU-based Data Controller located within the EU:

  • Must implement specific organization and technical data security measures
  • Keep detailed records of their processing activities
  • Appoint a Data Protection Officer or DPO (under certain conditions)
  • Notify data controllers if/when a data breach occurs

In view of these GDPR obligations, Data Controllers must do more diligence to the processes by which they select new Data Processors and re-qualify existing ones.

Data Controllers must also determine whether they fall under the GDPR Regulation and identify their responsibilities and measures they must implement vis-à-vis the Personal Data they process.

Lots more to talk about here, but suffice it to say that organizations that fit the definitions of Data Controllers and Data Processors should assess their GDPR-related Data Protection obligations and implement measures and technology-based solutions to enable and enact their compliance.

I will cover further aspects of the GDPR Regulation in upcoming blogs, namely the rights of Data Subjects.

Bassam Zarkout

Everteam and Aurotech Partner to Support Information Governance Across Banking, Finance, and Insurance

Boston, MA: Everteam, a leading technology provider of information governance solutions and Aurotech, Inc, a management and technology consulting firm, announce a strategic partnership to support enterprise organizations’ efforts to improve archiving and records management strategies in support of increasing compliance and privacy regulations.

Together the two companies will provide the strategic advice and technology necessary for successful information governance.

Organizations in Banking, Finance, and Insurance face growing regulations around information privacy and security, including support for the upcoming EU General Data Protection Regulation (GDPR) directives on data privacy. The challenges focus not only on appropriately securing information but on what information to keep and where to keep it.

With the help of Aurotech and Everteam, these organization can increase the effectiveness of their information management policies through well-defined content analytics, application archiving and decommissioning as well as records management programs.

“Everteam is pleased to partner with Aurotech, Inc. Their commitment to delivering solutions that increase efficiency and productivity across a range of information governance programs combines well with our delivery of information governance solutions that are easy to use and provide the critical capabilities needed by organizations today,” said Firas Raouf, CEO Everteam.

The implementation of digital transformation strategies is driving the adoption of new innovative technologies. It’s critical that effective legacy application decommissioning strategies are put in place to not only deal with legacy applications but ensure the appropriate migration of information to the new system an archiving solution or proper disposition. Surrounding all this is the application of content analytics and records management policies that ensure data is properly managed regardless of where it resides.

“Our customers are constantly dealing with mission-critical and complex business issues related to the proper management of their enterprise content. It’s our mission to ensure they have the right strategies in place and the right technology to support those strategies. Everteam’s Information Governance solutions provide an excellent mix of capabilities to help our customers manage their content end-to-end.” said Tim Schwedes, ECM Governance Lead Aurotech, Inc.

To learn more about this partnership and how we can help you, contact:

  • Aurotech: Niki Ward, Account Manager (; 208.559.2086)
  • Everteam: Ken Lownie, VP Operations (; 1 978.618.2363 )

About Aurotech

Aurotech is a provider of Information Governance and Business Process Management (BPM) solutions. With years of focused experience and leveraging an extensive partner network, we match technology to our customers’ requirements to address the full range of compliance, automation, and archival needs.

About Everteam

Everteam is a global software vendor specializing in information governance and process automation solutions for mid to large corporate enterprises and government entities. With over 25 years experience and innovation in the field of Enterprise Content Management, Everteam is recognized for successfully delivering highly sophisticated implementations of Content Management, Information Governance, and Business Transformation solutions.

How Analytics Help You Manage Your Information Silos

Over time, companies accumulate large amounts of data across different systems and tools, creating information silos. For many organizations, it’s difficult to manage shared access to these silos and control that access.

At the heart of most information siloes we find the management of the “document” with its two levels of complementary information, united and inseparable:

  • The document itself
  • The metadata, attached to the document that facilitates access to the document. Metadata provides classification, security and permissions (authentication) for the document. It also enables interoperability.

The challenge is that internal staff often find the process of capturing metadata tedious and complex, and are abandoning metadata assignment. But search engines depend on metadata to organize information and improve search queries. Without it, documents are indexed by file only, leading to a loss of control over the information. This loss of control has the potential to drive major risk to the company:

  • The dilution of information with high added value
  • Increased risks of non-identification of binding documents
  • Non-compliance with regulatory requirements for the retention and destruction of documents
  • The continuous rise in volumes stored on expensive and unsuitable media

There are many solutions that can manage these information silos including SharePoint, Box, Google Drive, Everteam and others. Often, organizations have more than one solution in place. And therein lies a big part of the challenge.

How analytics can help

Analytics technologies support the combination of innovations born of Big Data and Machine Learning. In other words, it is possible to analyze large volumes of data (including unstructured information) thanks to the power of file and content analytics and make sense of it automatically. Analytics can take away the need for knowledge workers to manually add metadata to documents. It does this by applying machine learning algorithms analyze the content of a file and automatically add the appropriate metadata information.

The best analytics solutions work with both structured and unstructured data in the same search interface. Analytical tools can completely reconfigure the exploitation of information on several levels.

From an operational point of view, Business Divisions can:

  • Quickly access relevant information, including in multisource and multilingual contexts
  • Expose information from duplicate or obsolete documents
  • Quickly identify all the company’s binding documents
  • Capitalize effectively on the storage repositories

Analytics technologies can also control a number of risks related to the unavailability or expiry of information. They can put General Management in a position to respond to the regulatory obligations inherent in its business and sector of activity. And they contribute to the proper running of the business by providing an effective and efficient service to internal customers, better able to meet the standards of their profession.

Finally, IT Departments see their work get easier and IT costs decrease by controlling storage and backup budgets, reducing the costs and delays of migration from one silo to another and, lastly, the perpetuation of stored formats.

Want to understand more connecting your information silos with analytics? Download our File Analytics datasheet.

Like what you’re reading on the blog? Subscribe to our newsletter. 

GDPR & You: Are You Ready for new European Data Protection Regulations?

There is a fundamental transformation underway. In the digital economy information is the currency of exchange. And, information knows no boundaries. Harmonization of regulations that fosters the free flow of information while strengthening privacy and security rights is an imperative for policy makers.

Take the EU and US trading block as an example. The total value of goods and services between the two largest trading blocks is estimated at $5.5 trillion employing 15 million. Cross border flows between the EU and the US are estimated to be 50% higher than any other trading block. 65% of US investment in information technology is in the EU.

Identity theft and impact of security and privacy breaches are impacting customer experience and customer loyalty negatively at increasing levels. They are also driving regulators to bolster data security and privacy legislation to impose stricter obligations on businesses and data controllers. Enter the new European Data Protection Regulation (EU GDPR).

As a response to advances in digital technologies such as big data, cloud computing and predictive analytics, coupled with revelations of bulk data collection and profiling by intelligence services the General Data Protection Regulation (GDPR) is a comprehensive overhaul of privacy legislation which considerably strengthens and expands privacy rights.

It spans more rigorous consent requirements data anonymization, the right to be forgotten and breach notification, which could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year — whichever is the greater — being levied by data watchdogs. For other breaches, the authorities could impose fines on companies of up to €10m or 2% of global annual turnover — whichever is greater. For the average Fortune 500 company, that puts fines in the range of $800-900M.

In this new AIIM e-book (sponsored by Everteam) – Information Privacy and Security: GDPR is Just the Tip of the Iceberg, the focus is on five key questions that should be on every C-level executive’s list of priorities:

  1. How has the environment for information privacy and security changed?
  2. What is GDPR, why should you care, and what does it mean for your organization?
  3. What does “Privacy by Design” Mean?
  4. How will the Internet of Things make the privacy equation even more complicated?
  5. What should your organization do about all of this, and what role will machine learning play in solving the problem?

You can download your copy of the ebook here. And sign up for our newsletter to get more insights and guidance on GDPR and information governance straight to your inbox.

Gearing up for KMWorld – Join Us There

It’s a couple of weeks away and we’re deep into planning a great experience at KMWorld this year. Now maybe you why a software company focused on Information Governance and enterprise content management is sponsoring and speaking at KMWorld. If you sit down and think about though, the relationship is clear – Information Governance and Knowledge Management go hand in hand.

Knowledge workers deal with a lot of information spread across the company. Unfortunately a lot of it is in silos that are hard to reach and sometimes hard to find period. What do many knowledge workers do to get around this challenge? They go get everything they need and store a copy of all information in a file share or file sharing cloud-based application or on there hard drive. How do exactly do you manage this information now? How can you be sure that you aren’t violating a compliance policy or regulation? How do you your knowledge workers are accidently exposing private information? You need an information governance strategy – one that starts with file analytics.

Another way to look at this challenge is when you merge or acquire a new company. The same challenges, the same risks, and the same opportunities to engage in a process of information governance, something that isn’t so prohibitive or hard to manage that it never really gets adopted.

We’re Speaking at KMWorld!

VP Operations for Everteam USA, Ken Lownie is finalizing his presentation for his speaking session. His topic? Information Governance: A Key Enabler of Knowledge Management.

Here’s the overview and key takeaways from his session”

A prerequisite to effective knowledge management is the ability for an organization to capture, organize and preserve their information assets.  Information governance (IG) is focused on exactly those tasks.  In this session, I will five use cases from “real life” information governance initiatives.
Key takeaways:
  • The five fundamental capabilities of an IG framework
  • How to design an IG program that delivers IT cost reductions
  • Strategies for consolidating  information assets through a merger or acquisition
  • How to define an IG  program that will increase compliance and reduce risk related to data theft
  • The role of content analytics in information governance and knowledge management

Going to KMWorld? Let’s Connect

Ken and Dan Griffiths will be manning our booth at KM World – we have giveaways and prizes to win and some great reading material to take home with you. If you are attending and would like to arrange a chat, let us know and we’ll schedule time on Ken or Dan’s calendar.

What is GDPR and how is it related to Information Governance?

Unless you have been in a cave in the past year, you must have heard about GDPR, the European General Data Protection Regulation. It is a comprehensive data privacy directive which takes effect on May 25th, 2018. The directive builds on the current EU Privacy Directive and unifies data protection laws in EU countries.

Note: This is the first in a series of posts on the subject of GDPR compliance.

GDPR at a high level

  1. Data Privacy is a fundamental right of “natural persons” (called Data Subjects which are essentially EU Citizens anywhere in the world and individuals located within EU jurisdictions).
  2. This right relates to Personal Data; any information exchanged between Data Subjects and Data Controllers (providers of products and services) and Data Processors (their outsourcers), information that can be traced back to the Data Subject:
    • Personal: name, gender, national ID, location, DOB, physical, genetic, psychological, mental, cultural, social characteristics, online computer identifiers, medical, financial, etc.
    • Organizational: recruitment, salary, performance, benefits, etc.
    • Other: race, ethnic, religious, political opinions, biometric, etc.
  3. These Privacy Rights state that you can ONLY collect Personal Data lawfully and for legitimate reasons, and you are limited to using it to what is necessary and what it was intended for:
    • Right for consent
    • Right to be forgotten
    • Right for rectification
    • Right for data portability
    • Right to object
    • Right for limited usage of collected data
    • Right to be notified about data breaches

It is worth noting that the above GDPR restrictions apply to Data Controllers and Data Processors even if they located outside EU jurisdictions (example a US-based cloud provider).

GDPR defined

Organizations found to be non-compliant can face significant fines amounting up to 20 million Euros (roughly US$ 23.5 Million) or 4% of global annual revenue, whichever is greater. Not small change.

If you do the math, a US$ 10B corporation found to be non-compliant may be fined US$ 400 million.

“Sky is falling” statements like this can often produce the reverse effect:

  • There are no signs that the GDPR Supervisory Authorities in the various EU countries will be trigger happy on May 25th, 2018.
  • Organizations are however advised NOT to take the matter lightly… GDPR is serious business… and violations will probably be handled firmly.

What does all this have to do with Information Governance?

A lot.

GDPR compliance is perhaps the compelling event that organizations have been “waiting for” in order to fully embrace the Information Governance culture. Common “values” that are delivered by effective Information Governance Programs go a long way towards facilitating GDPR compliance, such as:

  • Visibility through content (content analysis, classification, etc.)
  • Data and content minimization (elimination of ROT)
  • Systematic lifecycle management and controls over content

GDPR is a deep subject, and in upcoming posts I will dive a little deeper its various aspects, such as:

  • Definition and scope of Personal Data
  • Obligations of Data Controllers and Data Processors
  • Privacy Impact Assessments
  • Data Privacy Officer
  • Consent
  • The “vaulted” Right to be Forgotten
  • Right of Data Portability
  • “Privacy by Design” and “Privacy by Default”

Details to come.

Everteam and Flatirons Jouve Partner to Help Organizations Advance Information Governance

The right combination of strategic consulting and information governance tools for compliance-driven organizations

Boston, MA: Everteam, a leading provider of Information Governance and content management software and Flatirons Jouve, a content lifecycle management consultant and systems integrator, and , announce a new partnership to help organizations address their toughest information management challenges. Together, Flatirons Jouve and Everteam provide a strategic consulting and intelligent Information Governance solution to help clients develop and deploy comprehensive information management strategies. Through the partnership, Flatirons Jouve will serve as one of Everteam’s select integration partners in North America and Europe, giving clients easy access to Everteam’s leading suite of Information Governance software and Flatirons Jouve’s consulting and implementation teams.

Enterprises face enormous challenges today with managing their growing information, whether structured data or unstructured content. Information growth within existing and new IT systems is forcing the re-evaluation of information lifecycle management strategies. In addition, enterprises are under intense pressure to ensure the integrity of their data within the firewall and to adhere to ever-stricter data governance requirements.

Everteam’s Information Governance solutions cover the five-step stages of an effective content lifecycle strategy: Connect to all content and data repositories across the organization, discover the content within those repositories, effectively manage and archive data according to records management policies, and leverage that data through actionable content analytics.

Flatirons Jouve has a proven track record in supporting clients’ content lifecycle management needs across a range of markets including manufacturing, banking, healthcare, insurance, education, the public sector, and more. Their experience has helped many enterprises reduce costs and risk through the proper management of data.

“The decision to partner with Flatirons Jouve came down to their extensive expertise in helping enterprises solve their most strategic information management challenges,” said Firas Raouf, CEO Everteam. “Through the partnership, organizations now have easy access to some of the best information management consultants and most sophisticated Information Governance software available today.”

“A solid information governance strategy requires not only understanding what data you have across your organization, but also managing it according to well-defined policies and leveraging that data to improve customer experience,” said Joe Mihalik, Chief Consulting Officer of Flatirons Jouve. “Everteam’s approach to information governance, particularly its ability to connect to existing systems and content repositories, and apply records management and content analytics across all data, ensures organizations have the right tools at each stage in the content lifecycle.”

To learn more about Everteam’s suite of Information Governance software, visit

To learn more about Information Governance consulting and system integration, visit .

About Everteam

Everteam is a global software vendor specializing in information governance, content management and process automation solutions for mid to large corporate enterprises and government entities. With over 25 years experience and innovation in the field of Enterprise Content Management. Everteam works with enterprise customers across the world, including Florida Blue, First Financial Bank, Orbitz, St. Gobain, Singapore Airlines, BNP Paribas, British Sky Broadcasting and Slate Street. Everteam is headquartered in Lyon (EU) and Boston (US), with regional offices in Beirut, Dubai, and Paris.

About Flatirons Jouve

Flatirons Jouve™ ( provides solutions and services that organizations need in order to harness their most complex data, optimize their business processes, and create compelling digital experiences. A longtime leader in content driven markets like aviation and publishing, Flatirons Jouve™ also provides disruptive innovations to meet knowledge delivery requirements in the manufacturing, banking, healthcare, insurance, education, and public sectors. Flatirons Jouve™ counts 2,500 employees and operates worldwide in 15 countries from offices in North America, Europe, Asia, and Africa.


Media Contact:

Barb Mosher Zinck

Houston Executive Breakfast: Is Your Content Making You a Cyber Risk?

Join us in Houston on October 18th for an Executive Breakfast with the Experts where we will share an innovative approach to reducing risk that combines information governance with business continuity and insurance.

During this one-hour chat you’ll hear from:

  • Rob Walters, Cyber Liability Specialist: Rob will talk about the correlation between information management and cyber liability, and how loose content controls greatly increase Cyber Risk.
  • Gungor Aydogmus, CEO InfoDNA Solutions: Gungor will outline an approach to developing or improving your information management program that includes eliminating ROT and improving security and governance.
  • Ken Lownie, CCO Everteam: Ken will give you a practical approach to Information Governance and walk you through the tools required to find and govern your information right.
  • Supreet Singh, Tech Strategy & Management – Exp. Manager, Grant Thornton: Supreet will discuss the challenges of balancing cyber risks and opportunities to drive innovation and growth and how organizations need to shift to a “control to transform” mindset.

We’ll also conduct a Q&A session where you can ask the panel questions that relate to your situation and challenges.

You will leave this session with:

  • A comprehensive Risk Reduction Strategy that combines content reduction, classification, content management and compliance with business needs.
  • A framework to protect sensitive information even when there is a successful cyber attack.
  • An understanding of the tools and processes necessary to lower Cyber Security insurance costs.

60% of organizations fear they aren’t prepared to manage cyber threats, according to a recent study. Manage your information properly, and you won’t fall into the same trap.

Learn how you can reduce cyber risk with information governance and the right insurance protection. Reserve your seat today.

Everteam Wins Award for Best InfoGov Company at InfoGovCon 17

Last week we attended, and happily sponsored, InfoGovCon 17. Providence, Rhode Island is a beautiful place to hang out for a few days and our team spent some time talking to event goers on all things related to information governance.

There is a lot of work to be done to improve how organizations manage their information. It starts with finding it all across all the different business systems where information is stored. It was clear from our discussions that file analytics is a critical capability needed. If you don’t know what information you have and where it’s located, how can you decide how to best manage it?

Of course, file analytics is only the beginning. Once you have that picture you need to start making some decisions. This is where the heart of information governance kicks in.

Bassam Zarkout did a presentation on File Shares Remediation, the process of determining what information you have and how to organize and deal with it. According to Bassam, there is so much content hidden away in file shares and other repositories, including cloud-based repositories, that organizations need to get a handle on it before it’s too late. (Think GDPR and Cyber Risk here). Check out his slides, they are packed with excellent insights!

The conference ended with a nice award for Everteam. We won the Best Information Governance Company of 2017 and we couldn’t be more proud. Our team works hard to design and develop the best solutions to support information governance strategies. We work with a great group of partners to deliver those solutions within the right framework for your company.

InfoGovCon Award

If you are interested in learning more about Everteam and our perspective on Information Governance, start with our Information Governance Overview or leave your contact info and we’ll get in touch.