In May 2018 the European Union adopted up-to-date rules for personal data processing implemented by General Data Protection Regulation (ЕС 2016/67 of 27 April, 2016) ("GDPR"). GDPR came into direct effect in all 28 Member States of the EU on 25 May 2018 and replaced the Directive of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to processing of personal data and on the free movement of such data (Directive 95/46/EC). The introduction of the GDPR is certainly going to have a significant impact on the insurance industry due to the large amounts of personal data and sensitive personal data processed by insurers. Insurance companies will need a greater awareness and command over the data they process and share and will also need to be able to justify why they must obtain and hold the data in question.
Article 4(1) of the GDPR defines "personal data" as “any information relating to an identified or identifiable individual person ("data subject"); an identifiable individual person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual person”. The definition is extended, and it should be stressed that it even includes the IP addresses of individuals.
In the case of insurance companies, the GDPR implementation process is similar to that of banks and other institutions that process personal data. Insurance agents often collect extremely sensitive data, defined by GDPR as "special category data", such as lifestyle, state of health or addictions, they require special protection, and their leakage or illegal transfer can have very serious consequences. Such companies are and will be required to take all necessary steps to ensure that all procedures taken relating to data collected and processed are GDPR compliant.
Another important topic for insurance companies regulated by the GDPR is the insurance of minors. At present, processing of minors' data requires parental consent. Another important issue is the cooperation of insurance companies with third parties, such as brokers. The process of implementing GDPR requires, in this case, the signing of an appropriate form of contract, which will determine whether the broker is a “data processor” and/or also a “data controller”.
Insurers must ensure that any third-party supplier they use and/or cooperate with, has the appropriate controls and/or procedures in place to meet GDPR requirements. The appointment of a Data Protection Officer, who will monitor and control compliance with the new laws is a prerequisite.
Furthermore, and according to “Insurance Europe”, a data protection impact assessment should be carried out by insurers who process data in a way which poses a high risk to an individual’s rights and freedoms.
GDPR non-compliance – Penalties and fines
According to Article 58 of the GDPR there are certain powers under which the Commissioner can issue warnings and reprimands, order compliance with the data subject’s requests to exercise their rights pursuant to the GDPR and compliance with the provisions of the Regulation, in a specified manner and within a specified period.
Fines are discretionary rather than mandatory. They must be imposed on a case-by-case basis and should be “effective, proportionate and dissuasive”. The first level of administrative fines is an amount of up to 10,000,000 EUR, or in the case of an undertaking, up to 2% of total worldwide annual turnover of the preceding financial year (whichever is higher) will be applied in case of breach of obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43 of the GDPR.
The second level of administrative fines is an amount of up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher) will be applied in case of breach of basic GDPR principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9; data subjects' rights pursuant to Articles 12 to 22; infringement of transfers of personal data to a recipient in a third country or an international organization pursuant to Articles 44 to 49.
Consequently, violators of GDPR may be fined up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater.