Its impact won’t just be felt in Europe however, as it may have wider implications for companies across the world that may be viewed as established in the EU, viewed as selling services to data subjects in the EU, or that monitor the activities of EU data subjects (if that activity occurs in the EU).
Companies can face fines running into tens of millions of euros if they breach the new rules. The insurance industry is extremely rich in its use of personal data. Large volumes of personal information is stored in a compliant manner and the introduction of telematics is swelling this ‘big data’ pool.
For the first part of our blog series looking at GDPR, I will look at the full background on the new regulation and what it means for insurance.
Q: What exactly is GDPR?
A: Coming into effect on 25 May 2018, it is a new set of rules governing the privacy and security of personal data. It will replace all of Europe’s privacy laws currently represented in the Data Protection Directive (Directive 95/46/EC) from 1995.
As it is a regulation rather than a directive, the new law will come into force in a uniform way across the whole of the EU, avoiding the patchwork of different national interpretations of the law that came about in 1995. In theory this means companies will face more harmonized data protection compliance requirements across the region.
Q: What are the main points of the new law?
A: It has been designed to bring data regulation up to date with the many tools and devices that involve personal data transfer in the modern connected world. Many new technologies have emerged since the 1990s (such as smartphones, fitness trackers and connected vehicles).
It has been designed so as to avoid any power imbalance between citizens and the companies they rely on to process and hold their personal data. For example, ‘consent’ to use data is supposed to be freely given and ‘explicit’ for certain sensitive personal data; it can’t be as a condition of service.
Under the new rules, individuals also have the ‘right to erasure’ of their data in certain circumstances, sometimes called the ‘right to be forgotten’. This means that they will be able to request that businesses delete their personal data if it is no longer needed for the original purposes that it was collected.
There is also the intention to simplify the regulatory environment. However there are inevitably some complex use cases, such as when a consumer withdraws consent to use their personal data but another legal basis such as ‘legitimate interests’ may apply (for the purpose of fraud prevention, for example).
Q: How will this impact on consumers?
A: As well as the right to erasure, GDPR holds provisions that could potentially increase the consumer’s rights over the use of their personal data. However there are still grey areas at this stage about things like how ‘fair notice’ will work and how customers will be able to transfer their data from one service provider to another (‘portability’).
The rules around the ‘right to erasure’ mean that in theory someone could ask social networks to delete their profile entirely. But the laws relating to freedom of expression will stop this right extending to media articles.
The GDPR is likely to encourage more portability of personal data, with the aim of making it simpler for example to swap insurers, utility companies or broadband providers. But it is not yet clear how this data portability will work in practice. Consider for example a usage-based insurance customer who wants to export their driver data or view it in some form that is laid down in the law. How will this telematics data amounting to many Gigabytes of data be handled?
We are in favour of the insurance industry coming together as a working group to work through some of the principles of personal data portability, with the aim of maintaining transparency for the insurance consumer. Such efforts can be very productive. Indeed, the UK ministry recently recommended that the GDPR consent rules be modified slightly for the insurance industry when the UK enacts its GDPR implementation law.
Q: How will this impact on the insurance business?
A: In the insurance industry we are all working together on things like crime prevention and improving the consumer experience with effective use of data. However, with the ever-present threat of cyber-crime, there are unsolved questions about how to give control of personal data back to consumers, whilst keeping them completely safe. This is the subject of ongoing industry discussion.
The new laws come with substantial fines for companies that fail to comply with the new data breach notification procedures, data retention rules, the new rights of the data subjects and other areas.
The GDPR places greater accountability obligations on data controllers to demonstrate compliance. This includes requiring them to:
- Implement data protection ‘by design’ and by default, for example with data minimisation, retaining data for specific stated purposes only
- Maintain comprehensive documentation including a written record of processing activities
- Conduct a data protection impact assessment for more risky processing
- Companies must appoint a data controller representative, even when not in the EU in certain circumstances
- Data controllers must be notified of cases of any personal data breach without undue delay.
Data processors will have direct obligations for the first time and these will be addressed in relevant contracts and commercial agreements. Good data management principles mean that personal data uses will be narrowed down and specified in agreements, rather than subject to broad terms.
Q: Does it affect businesses outside the EU?
A: The GDPR affects data controllers and processors outside the EU whose processing activities relate to the offering of goods or services (even if for free) to EU consumers, or related to monitoring EU data subject behaviour that occurs in the EU. Many companies will need to appoint a representative in the EU.
Q: What are the other key points to be aware of?
A: The Information Commissioner’s Office in the UK recently released a set of guidelines to help businesses prepare for GDPR. Follow the link to their report and the 12 recommended steps for staying within the law.
The ICO recommends that companies review their privacy notices and ensure there is a plan in place for making the necessary changes. It’s important to note, the rules are not that scary for companies who already comply with good data principles, for example as contained in the UK’s Data Protection Act and the original 1995 Directive.
At LexisNexis we are working through the principles coming with GDPR and not just through oversight and governance of our client’s data, but also extending through to the data flows with intermediaries and software houses. There are many positive things that GDPR will bring in terms of ‘consent’ and ‘legitimate interests’.
Articles is care of Lexus law, the original article can be found here.
