The latest thinking and expert insights into the insurance industry.
22 January 2018

Protection of Personal Data to Become Even Stricter

Udo Oelen is Head of the Supervision Private Sector department of the Dutch Data Protection Authority (DPA). From 25 May 2018 the new General Data Protection Regulation (GDPR) will come into force. He takes stock of what the implications of this new European regulation are for the insurance industry. Actually, they are quite significant.

Privacy affects all of us

Detecting fraud is an important task for insurance companies. Privacy is an issue, as you want to do your work efficiently. FRISS’ Insurance Fraud & Digital Transformation Survey 2016 shows that privacy protection is one of the main challenges the insurance industry faces.

Besides being a fraud investigator, you are also an ‘ordinary human being’. Surely you would not want your holiday snapshots to be spread over the internet, your medical data to be open to everyone, or your financial transactions to be sold to advertisers. Privacy is just as important for you, as for everyone else. Privacy is a basic human right.

Strict conditions

Europe AVG GDPRAs a fraud investigator you are used to break into the personal life of others and to ‘trespass’ on the personal data of others. This is permitted for fraud investigation, but only under strict conditions. After all, it always concerns people: it’s not about risk profiles, algorithms or traffic light ratings that are green, amber or red.

In 2018 the current strict conditions will be replaced by the General Data Protection Regulation (GDPR) which is even stricter still.

First, I will outline the new regulation. Then I will elaborate on the matters that apply specifically to the insurance industry.

The new regulation will come into force on 25 May 2018. There is no transition period, as the regulation was already announced two years ago. In other words, organizations have already had two years to prepare themselves. How do things stand in your organization?

The new  GDPR regulation in a nutshell

This new regulation was long overdue. The current regulation dates from the time when the internet was still pretty much non-existent. Nowadays we live in the era of the Internet or Things and Big Data, and there is a need for new rules concerning privacy. The new regulation applies to all member states of the EU.

Here are the most important points of the GDPR in a nutshell:

  1. It strengthens the rights of citizens
    1. Citizens are more ‘in control’ of their own privacy. Consent for the processing of personal data needs to be given explicitly and an organization needs to be able to prove that this is the case. And it should be just as easy to withdraw the consent, as granting it.
    2. Citizens are given the right to be forgotten and the right of data portability. In other words, they should be able to ask for their personal data to be erased or transferred to another organization.
    3. Citizens can lodge a complaint with the Data Protection Authority. Each complaint has to be dealt with and may lead to an investigation and – possibly – a fine. At this moment complaints are still primarily seen as a signal.GDPR
  2. It gives organizations more responsibility and obligations – cornerstones of this are the terms responsibility and accountability.
    1. Organizations should implement accountability; in other words, being able to demonstrate compliance with the regulation.
    2. Organizations have a documentation obligation – a privacy administration documenting which data has been processed.
    3. Organizations should have a Compulsory Data Privacy Impact Assessment and a Data Protection Officer. More on this later.

Advantages GDPR regulation

The good news is that, with these obligations, come a number of advantages too. The regulation is international, which means that within the EU organizations have to deal with just one set of rules and one supervisory authority. In addition, the new regulation offers means of support to become compliant, such as codes of conduct and certification. The supervisory authorities are obliged to offer support.

  1. Privacy Officers are given more authority. Above, we have already discussed having to deal with all complaints and being obliged to help organizations to comply with the regulation. The sanctions that can be imposed for non-compliance have increased significantly.

The GDPR impact on the insurance industry

What does this mean in particular for the insurance industry? The fundamentals will remain pretty much the same: there already needs to be a reason to be allowed to collect and process data. In your case this will often be ‘a justified interest of an organization’. Also important: you are only permitted to collect data that is necessary for the purpose in question. Only what is necessary, not all that is possible. And the processing needs to be proportional: a limited and concentrated examination of sources, rather than collecting a broad range of data.

Gartner states that organizations increasingly employ technologies to process structured and unstructured data from a variety of public sources. This might be at odds with the new regulation.

For your industry I would also like to point out the principle of subsidiarity. This means that the goal should be achieved by the least intrusive means. Secretly filming someone to prove fraud is not allowed if it can be detected in another, less intrusive way.

I would also like to bring to your attention that processing special categories of personal data has to comply with even more stringent requirements. This includes, for example, medical data and data of criminal convictions and offences.

New GDPR obligations

Besides these existing principles, you will have to deal will several new obligations.

  1. Processing Data Register – this register records which data is processed, for which purpose, on which basis, how it is protected, where it comes from and whether it is allowed to be used for other purposes. It is a Register that is compulsory for every organization which processes personal data and that can be checked by the supervisory authority. Such a processing data register might be a challenge especially for companies working with Big Data that use automated decision-making systems. The character of Big Data often entails that the origin is not or no longer clear.
  2. Data Protection Impact Assessment (DPIA) – this is mandatory for high-risk processing operations. This concerns organizations that collect data for profiling and use special categories of personal data on a large scale. Most likely you will be required to carry out such an assessment and take the necessary measures. As a supervisory authority, we can and are obliged to give you guidance and advice on this.
  3. Data Protection Officer – this position already exists, but the role will be reinforced. For example, the appointment of such an officer is mandatory in organizations that follow individuals on a large scale in order to make risk assessments – surely that sounds familiar to you!

Take these steps, take them on time

I have elaborated on several points, but there are more. Taylor Vinters has published a ten-step plan with all the things you really need to get sorted out soon. There is not much time left until 25 May 2018, so my advice would be to take it up seriously.

Implementing the measures has to be done, it is achievable and necessary – it protects the personal data of everyone, so also that of your own. We all want our privacy.


Contact us

Cookie and Privacy Policy

1. Introduction

When you use this website, FRISS may collect information about your use of the website and the content offered. We believe it is important to handle your (personal) data with due care and confidentiality. When processing your personal data, we comply with the General Data Protection Regulation (Algemene Verordening Gegevensbescherming) and Article 11.7a of the Telecommunications Act (Telecommunicatiewet).

1.1.  Controller

The controller of the processing of personal data is:

FRISS Fraudebestrijding B.V.
Orteliuslaan 15
3528 BA

This processing of personal data is registered with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) in The Hague under reporting number m00004997.

1.2.  Purposes of data processing

There are several places on our website where you can fill in your (personal) data. We will explain the purposes of the various instances of data processing below.

Filling in the contact form or sending an e-mail

If you fill in the contact form on our website or send us an e-mail, we will only use the (personal) data you provide for the purpose or purposes for which you filled in the contact form or sent the e-mail.

Download form

If you download files on our website (such as e-books, whitepapers or reports), we will use the (personal) data you provide for one or more of the following purposes:

  • for the execution of an agreement, for example to send you the e-book, whitepaper or report you have chosen;
  • for the formation of an agreement, for example by contacting you by telephone or in writing.


If you fill in the application form for the newsletter on our website, your (personal) data will be used to send you the newsletter. Each newsletter contains a hyperlink at the bottom of the message that you can use to unsubscribe.

In addition to the personal data you provide to FRISS yourself, FRISS may collect, record and process additional (personal) data if you use the (web) services of FRISS. This concerns the following personal data:

  • data from the used equipment, such as a unique device ID, version of the operating system and settings of the device you use to access a service;
  • information about the use of a service, such as the time at which you use the service and the type of service that is used;
  • location details from your device or derived from your IP address that is provided to us when you use a particular service;
  • data available from external sources. We may receive information about you from public or commercially available sources.

1.3.  Provision of (personal) data to third parties

Your (personal) data will never be provided to third parties without your permission, unless we have an obligation to do so pursuant to legislation or regulations or you have given permission for this.

1.4.  Security of data

FRISS respects your privacy and ensures that personal data are handled confidentially and with the utmost care. All processed (personal) data is stored exclusively in secure databases. These databases are only accessible to employees of FRISS, to the extent that this access is required by virtue of their position. FRISS makes every effort to secure these systems against loss and/or any form of unlawful use or processing.

1.5.  Inspection, correction and deletion of data and the right to object

You can view your data that is processed by FRISS at any time and free of charge and, if you so wish, modify this data or have it deleted. You can also object to receiving information about products, services or content of FRISS. If you wish to make use of one of these options, you can send an e-mail to the Data Protection Officer of FRISS via privacy@friss.eu or write to the following address:

FRISS | fraud, risk & compliance
Attn. Data Protection Officer
Orteliuslaan 15
3528 BA Utrecht.

2. Cookies

When using this website, information about your use of these services and other websites may be collected by or on behalf of FRISS, for example by means of cookies.

A cookie is a small file that is sent along with pages of a website and stored by your browser on the hard disk of your computer. We use cookies to remember settings and preferences. You can disable these cookies via your browser.

2.1.  The purposes for which FRISS uses cookies

On our website we use cookies for the following purposes:

  • for statistical purposes, in order to analyse the use of FRISS websites. This allows us to keep track of the number of visitors and see which parts of our website are popular. We use Google Analytics in order to track and consult these statistics. On this website you can find explanations about all cookies that may be placed by Google;
  • for what is known as ‘targeting’ purposes, if you have used the download form. By targeting we mean building a profile of you based on your surfing behaviour on our website, after which we may contact you by telephone or e-mail based on the interests you have shown in order to offer you FRISS services that you may be interested in. We use HubSpot in order to track and consult these statistics. On this website you can find explanations about all cookies that may be placed by HubSpot;

3. Changes to this Cookie and Privacy Statement

FRISS may make changes to this Cookie and Privacy Statement. All modifications will be published on this page. We advise you to consult this Cookie and Privacy Statement regularly, so that you are always aware of the content of the current Cookie and Privacy Statement.