After almost four years of negotiations, drafting and discussions, the General Data Protection Regulation (GDPR) entered into force earlier this year. Businesses, including insurance companies, now have until May 25, 2018 to meet the new requirements under the GDPR. The GDPR aims to harmonize data protection legislation across the European Economic Area (EEA), making compliance for (re)insurance companies that operate in multiple EEA jurisdictions easier. However, in order to achieve this, the GDPR introduces a number of new requirements that will have a significant, and sometimes onerous, impact on (re)insurance companies. The GDPR is also likely to still be relevant to (re)insurance companies based in the UK despite Brexit, as the GDPR will become law in May 2018, which may be before the UK withdraws from the European Union, and even after withdrawal, the GDPR will continue to apply to UK companies that process data on EEA residents. Some of the key provisions of the GDPR that are of particular relevance for the insurance and reinsurance industry are summarized below.
The GDPR introduces an aggressive enforcement regime with administrative fines of up to four percent of a company’s annual worldwide turnover (gross revenue) or €20 million, whichever is the higher. In addition, Data Protection Authorities (DPAs) will also have significant investigative and corrective powers, such as the ability to impose a temporary or definitive ban on processing personal data, or to issue reprimands to controllers and processors (see below) for infringing the provisions of the GDPR. Further, any organization aiming to protect the data protection rights of individuals will be able to submit a complaint to a national DPA and bring actions on behalf of individuals. To reduce the risk of these sanctions being imposed, (re)insurance companies will need to carefully review the provisions of the GDPR and determine how they will ensure compliance.
Application to Non-European Businesses
The GDPR extends the territorial scope of data protection legislation to include data controllers and processors based outside the EEA that process personal data of EEA residents, where the processing is related to: (i) the offering of goods or services to EEA residents; or (ii) the monitoring of their behavior. Therefore, if a U.S. or other non-EEA (re)insurer underwrites risk for or issues policies to companies or individuals in the EEA, or they monitor an insured’s behavior, they will come within the scope of the GDPR and must comply with its provisions. This means that international (re)insurance companies are likely to come within the scope of EEA legislation and therefore such organizations will now need to review their data processing policies and protections to ensure that they are GDPR compliant.
The GDPR introduces a new one-stop-shop mechanism where businesses will ordinarily be accountable to one single lead DPA in the EEA country where the data controller has its main establishment. The lead DPA is required to cooperate with all “concerned” DPAs to reach a consensus on any decision, and where no consensus can be reached, the case can be referred to the newly formed European Data Protection Board (EDPB) which will issue a binding opinion. In exceptional circumstances, a “concerned” DPA can adopt provisional measures and request an urgent opinion from the EDPB. This may be beneficial to (re)insurance companies that operate across the EEA, as they will only have to ordinarily report to and deal with one supervisory authority for data protection issues that effect their cross-border operations.
Data Controllers and Data Processors
The GDPR keeps the current distinction between “data controllers” and “data processors” under the Data Protection Directive. With respect to the (re)insurance industry, it is likely that (re)insurance companies will be treated as data controllers. This is on the basis that, for example, (re)insurance companies, in many circumstances, determine what data of their customers and employees is to be collected, and for what purposes this data is to be used for. As a result of being classified as a data controller (relative to being classified as data processor), (re)insurance companies become responsible for complying with the majority of the obligations under the GDPR. (Re)insurance companies often use many vendors and the GDPR substantially broadens the obligations that must be contractually imposed on processors by controllers. Therefore, it is likely that many contracts that (re)insurance companies have entered into or will enter into with vendors, that will continue past May 2018 will need to reflect these enhanced requirements.
In addition, the GDPR introduces the concept of joint and several liability for controllers and processors, meaning that individuals can claim for compensation from either the controller or processor in the event of non-compliance with relevant GDPR requirements. Therefore, documenting how liability will be apportioned in these events will now be extremely important, and contracts between controllers and processors will need to take this into account, as well as mechanisms to resolve any disputes.
Notice and Consent
The GDPR has increased the thresholds for obtaining consent to process personal data, including the consents of children. Consent must now be freely-given, informed, clear and affirmative, rather than implicit and tacit. Data controllers must also be able to prove that they have received such consent from an individual for each processing operation they undertake. This could be problematic for (re)insurance companies, as they may process data for many different operations or for ancillary purposes. For example, an insurance company that underwrites health insurance may be required to ensure that it obtains express consent for processing health data about an individual, even though the primary purpose of the processing is related to performance of an insurance contract. A controller may be able to “grandfather” its existing consents beyond May 2018 only if the consent would satisfy the more onerous requirements of the GDPR. Given the duration of many (re)insurance contracts, companies may need to re-consent individuals, which may be a difficult and expensive exercise. In addition, the GDPR sets out new requirements as to the information that should be provided in data privacy notices, such as the contact details of the data controller, the legal basis of processing, the data retention period and so on. As a result of these increased requirements, (re)insurance companies will need to update and amend their policies, consents and customer materials to ensure they obtain the requisite level of consent from individuals for each operation where data is processed and provide the correct information in data privacy notices. This could be a costly and time consuming administrative burden for (re)insurance companies.
The GDPR sets out enhanced accountability principles, including the requirement for organizations to implement data protection policies, to maintain a detailed record of processing activities, to conduct privacy impact assessments and to implement data protection by “design” and “default.” An organization will be required to conduct a privacy impact assessment where data processing uses new technologies and is likely to result in a “high risk” for individuals. Evaluating personal data based on automatic processing (such as profiling), processing sensitive personal data on a large scale or systematically monitoring a publicly accessible area on a large scale are all examples of when a privacy impact assessment would be required. In addition, consultation with the DPA may also be required, where processing would result in a high risk. As much of the personal data held by (re)insurance companies would be considered sensitive personal data (as (re)insurance companies often need information regarding health prior to issuing a policy) and profiling is used in certain insurance functions (such as underwriting), it is likely that many (re)insurance companies will be required to carry out a privacy impact assessment. These requirements add an additional compliance step for (re)insurance companies, which will need to be budgeted for in cost and time.
Information Security and Breach Notification
All organizations must implement appropriate technical and organizational security measures, particularly if sensitive personal data is processed (e.g. health data, or racial or ethnic origin data). Furthermore, after becoming aware of a security breach, depending on the level of risk, data controllers will be required to notify both their national DPA and the individuals adversely affected by the security breach, without undue delay and, where feasible, not later than 72 hours after the data controller becomes aware of the security breach. Given that insurance companies process a lot of sensitive personal data about individuals (particularly health insurance companies), such organizations are an attractive target for hackers, therefore insurance companies should define and document a security breach response plan and update their IT-systems to ensure they have adequate safeguards in place to protect against potential cyber attacks. The GDPR introduces a definition of pseudonymization, which was undefined in previous legislation. Pseudonymization (e.g. the processing of personal data in a way that can no longer be attributed to a individual without the use of further information) is now a formally recognized security technique and (re)insurance companies that do not already use this technique may wish to consider whether to introduce it. Nonetheless pseudonymized data is regarded as “personal data” and will be subject to the GDPR.
Increased Rights of Individuals
Two of the more controversial rights introduced under the GDPR include, the ‘right to be forgotten’ (or the ‘right to erasure’) and the ‘right to data portability.’ The ‘right to be forgotten’ allows individuals (including children) to ask for their personal data to be deleted in certain circumstances, such as when the processing is no longer necessary or the individual withdraws consent. Data controllers and processors must comply with such requests unless certain derogations apply. In addition, where a controller is required to erase personal data which it has made public, the controller must take reasonable steps to inform other controllers that are processing such personal data, that the individual has requested erasure by such controller of any links to, or copies or replications of, such personal data. (Re)insurance companies will need to carefully assess this new right to be forgotten and determine how they will deal with requests to be forgotten and when the derogations to this right can be relied upon. (Re)insurance companies may need to keep personal data to comply with legal or regulatory obligations, or to be able to pay out on a policy at a later stage. However, whether such legal or regulatory obligations will come under one of the derogations is still uncertain and (re)insurance companies should therefore keep an eye on how this right will be exercised in practice and ensure that frontline staff are equipped to deal with these requests appropriately.
The ‘right to data portability’ allows individuals to request copies of their personal data from data controllers or processors, so that they can transfer their data to another provider. To facilitate the operability of this right, controllers should ensure that personal data is processed in a machine-readable, structured and commonly-used format, where this is technically feasible. This could be problematic for insurers and their intermediaries, as many hold personal data on different systems depending on the stage at which the data is processed. For example, they might have a separate system for underwriting or a separate system for dealing with claims. Also, given the nature of insurance policies and how long they might be in issue for, many insurance companies may store personal data on older systems that might not be compatible with newer systems, making interoperability difficult. Accordingly, this right could expose insurance companies to large administrative burdens, as they would need to update and amend their processing systems to ensure they are standardized and interoperable. Development of interoperable formats to enable data portability is actively encouraged in the GDPR, and therefore, in order to mitigate the impact of this new right, the (re)insurance industry should start developing strategies to determine how they will deal with it.
The GDPR introduces new restrictions on data controllers carrying out profiling. Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. Data subjects now have a right not be subject to a decision based solely on automated processing (including profiling), which produces legal effects on, or significantly affects an individual; unless the profiling (i) is necessary for the performance of a contract; (ii) has been authorized by Member State law; or (iii) is conducted with the explicit consent of the individual, and appropriate safeguards are implemented (Profiling and automated decision-making cannot be applied to children). This restriction could potentially extend to virtually all forms of data analytics including positive forms of profiling. This right will have a huge impact on the (re)insurance industry, as the underwriting process uses platforms that are designed to price risk, allocate premiums automatically and systematically process information about individuals. In addition, the (re)insurance industry uses Big Data projects to assist in market analysis, targeted marketing and fraud detection, all forms of automatic processing. The new restriction on profiling is likely to add additional burdens for (re)insurers that undertake these types of processing activities and in light of this, (re)insurers should review their current profiling activities to ensure compliance with the GDPR.
Transfer of Personal Data from the EEA
The GDPR maintains the current restriction on transferring personal data to countries outside the EEA that are not considered to have an adequate level of protection, such as the U.S. It also retains existing data transfer solutions, such as EU standard data protection clauses (also referred to as model contracts), the use of Binding Corporate Rules and the recently adopted EU-U.S. Privacy Shield.
It is clear that the GDPR will significantly impact the way in which the insurance industry processes personal data. While harmonization of data protection across the EEA will reduce the cost of the administrative burden that results from legal fragmentation, some of the key changes will require insurance companies to make policy or other administrative changes, which will be costly in the short-term. It is important for the insurance industry to understand their obligations under the GDPR and start making the requisite policy, procedural, technological or other changes to ensure compliance. Failure to do so could result in significant sanctions and liabilities.
If you have any questions regarding this Sidley Update, please contact the Sidley lawyer with whom you usually work, or
Insurance and Financial Services Practice
Privacy, Data Security & Information Law Practice
To receive Sidley Updates, please subscribe at www.sidley.com/subscribe.
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.