Udo Oelen is Head of the Supervision Private Sector department of the Dutch Data Protection Authority (DPA). From 25 May 2018 the new General Data Protection Regulation (GDPR) will come into force. He takes stock of what the implications of this new European regulation are for the insurance industry. Actually, they are quite significant.
Privacy affects all of us
Detecting fraud is an important task for insurance companies. Privacy is an issue, as you want to do your work efficiently. FRISS’ Insurance Fraud & Digital Transformation Survey 2016 shows that privacy protection is one of the main challenges the insurance industry faces.
Besides being a fraud investigator, you are also an ‘ordinary human being’. Surely you would not want your holiday snapshots to be spread over the internet, your medical data to be open to everyone, or your financial transactions to be sold to advertisers. Privacy is just as important for you, as for everyone else. Privacy is a basic human right.
As a fraud investigator you are used to break into the personal life of others and to ‘trespass’ on the personal data of others. This is permitted for fraud investigation, but only under strict conditions. After all, it always concerns people: it’s not about risk profiles, algorithms or traffic light ratings that are green, amber or red.
In 2018 the current strict conditions will be replaced by the General Data Protection Regulation (GDPR) which is even stricter still.
First, I will outline the new regulation. Then I will elaborate on the matters that apply specifically to the insurance industry.
The new regulation will come into force on 25 May 2018. There is no transition period, as the regulation was already announced two years ago. In other words, organizations have already had two years to prepare themselves. How do things stand in your organization?
The new regulation in a nutshell
This new regulation was long overdue. The current regulation dates from the time when the internet was still pretty much non-existent. Nowadays we live in the era of the Internet or Things and Big Data, and there is a need for new rules concerning privacy. The new regulation applies to all member states of the EU.
Here are the most important points of the GDPR in a nutshell:
- It strengthens the rights of citizens
- Citizens are more ‘in control’ of their own privacy. Consent for the processing of personal data needs to be given explicitly and an organization needs to be able to prove that this is the case. And it should be just as easy to withdraw the consent, as granting it.
- Citizens are given the right to be forgotten and the right of data portability. In other words, they should be able to ask for their personal data to be erased or transferred to another organization.
- Citizens can lodge a complaint with the Data Protection Authority. Each complaint has to be dealt with and may lead to an investigation and – possibly – a fine. At this moment complaints are still primarily seen as a signal.
- It gives organizations more responsibility and obligations – cornerstones of this are the terms responsibility and accountability.
- Organizations should implement accountability; in other words, being able to demonstrate compliance with the regulation.
- Organizations have a documentation obligation – a privacy administration documenting which data has been processed.
- Organizations should have a Compulsory Data Privacy Impact Assessment and a Data Protection Officer. More on this later.
The good news is that, with these obligations, come a number of advantages too. The regulation is international, which means that within the EU organizations have to deal with just one set of rules and one supervisory authority. In addition, the new regulation offers means of support to become compliant, such as codes of conduct and certification. The supervisory authorities are obliged to offer support.
- Privacy Officers are given more authority. Above, we have already discussed having to deal with all complaints and being obliged to help organizations to comply with the regulation. The sanctions that can be imposed for non-compliance have increased significantly.
The impact on the insurance industry
What does this mean in particular for the insurance industry? The fundamentals will remain pretty much the same: there already needs to be a reason to be allowed to collect and process data. In your case this will often be ‘a justified interest of an organization’. Also important: you are only permitted to collect data that is necessary for the purpose in question. Only what is necessary, not all that is possible. And the processing needs to be proportional: a limited and concentrated examination of sources, rather than collecting a broad range of data.
Gartner states that organizations increasingly employ technologies to process structured and unstructured data from a variety of public sources. This might be at odds with the new regulation.
For your industry I would also like to point out the principle of subsidiarity. This means that the goal should be achieved by the least intrusive means. Secretly filming someone to prove fraud is not allowed if it can be detected in another, less intrusive way.
I would also like to bring to your attention that processing special categories of personal data has to comply with even more stringent requirements. This includes, for example, medical data and data of criminal convictions and offences.
Besides these existing principles, you will have to deal will several new obligations.
- Processing Data Register – this register records which data is processed, for which purpose, on which basis, how it is protected, where it comes from and whether it is allowed to be used for other purposes. It is a Register that is compulsory for every organization which processes personal data and that can be checked by the supervisory authority. Such a processing data register might be a challenge especially for companies working with Big Data that use automated decision-making systems. The character of Big Data often entails that the origin is not or no longer clear.
- Data Protection Impact Assessment (DPIA) – this is mandatory for high-risk processing operations. This concerns organizations that collect data for profiling and use special categories of personal data on a large scale. Most likely you will be required to carry out such an assessment and take the necessary measures. As a supervisory authority, we can and are obliged to give you guidance and advice on this.
- Data Protection Officer – this position already exists, but the role will be reinforced. For example, the appointment of such an officer is mandatory in organizations that follow individuals on a large scale in order to make risk assessments – surely that sounds familiar to you!
Take these steps, take them on time
I have elaborated on several points, but there are more. Taylor Vinters has published a ten-step plan with all the things you really need to get sorted out soon. There is not much time left until 25 May 2018, so my advice would be to take it up seriously.
Implementing the measures has to be done, it is achievable and necessary – it protects the personal data of everyone, so also that of your own. We all want our privacy.