From 25 May 2018, the General Data Protection Regulation ((EU) 2016/679) (GDPR) will apply across the EU as the benchmark for data privacy. GDPR introduces new rules for the control and processing of personal data. Essentially, GDPR has two goals: (i) harmonising the data protection regime across the EU, in the interests of ensuring a level playing field, and (ii) protecting fundamental rights of privacy.
The changes introduced by GDPR will have a profound effect on how insurers handle personal data, not only in underwriting risks and handling claims but also when using data for the purpose of analysis. Issues will arise as to the uses to which a piece of data may be put, how long it can be stored and how it should be kept (if at all). It would be a mistake to think that the consequences of the new laws will be felt only by underwriters of personal lines business. Rather, GDPR will affect everyone in the underwriting chain including the insurer, reinsurer, brokers, coverholders, claims managers, loss adjusters and even document disposal organisations.
As time is running out on the old regime, insurers and reinsurers will need to ensure that they have taken all necessary steps to comply with the new rules. The penalties for breach of the rules are potentially severe and may be as much as 4% of global turnover or €20 million, whichever the greater.
Even though one of the drivers behind GDPR was to have a uniform regime across the EU, there is some (limited) flexibility for member states to introduce/promote national data protection regimes. GDPR proscribes the minimum standard but national laws may be even stricter. Below we look at the position in Germany and in the UK.
In Germany, GDPR will be accompanied by a new Federal Data Protection Act (Bundesdatenschutzgesetz (BDSG)), which will also take effect on 25 May 2018. The key features are as follows:
- BDSG applies to all data controllers and processors within the boundaries of Germany.
- It sets specific rules for dealing with employees’ data, including strict rules around obtaining employees’ consent to store such data.
- Despite Article 22 of GDPR (which gives individuals the right to object to decisions made about them purely on the basis of automated processing) an insurer may make a decision concerning an insured based on automated data processing if (i) the decision is in the insured’s interests or (ii) it concerns medical fees regulated by law.
- The duty to inform the individual about data storing and processing is limited in specific cases such as data being stored analogically, whenever controllers’ own legal interests need to be protected or if the data has not been collected from the individual directly but is needed to process legal interests (claims or contracts).
In the UK, the Data Protection Act 2018 (currently the Data Protection Bill) will come into force in synch with GDPR on 25 May 2018. One of the functions of the Act is to set out the grounds on which ‘special category’ personal data can be processed, this being one of the matters left open to member states to decide. As reported in our recent post (https://inceinsurance.com/2018/02/08/gdpr-the-data-protection-bill-a-welcome-concession-to-insurers/), following representations from the insurance industry, the Bill has been amended to add a new ground for processing certain special categories of personal data (namely data revealing racial or ethnic origin, religious or philosophical beliefs or trade union membership, genetic data or data concerning health) “if the processing is necessary for an insurance purpose”.
Another function of the Act is to ensure that the UK data protection regime is materially identical to that of the EU regime post-Brexit since, once the UK leaves the EU, GDPR will no longer be directly applicable. Any failure to mirror the EU regime could create huge problems for insurers, reinsurers and other entities transferring personal data between the UK and the EU.