In its March 2018 Global Insurance Review, law firm Sidley has reviewed the impact that the European Union’s (EU) General Data Protection Regulation (GDPR) is likely to have on the European re/insurance industry, and concluded that the ramifications will be significant and potentially onerous.
The GDPR was introduced in May 2016 in an effort to harmonise data protection legislation across the European Economic Area (EEA) and support companies operating across multiple EEA jurisdictions, but re/insurers have now been given until May 25th, 2018 to meet the new requirements.
Companies that fail to fully comply with the new provisions of the GDPR may incur administrative fines of up to 4% of their annual worldwide turnover, or €20 million if the figure falls below this amount.
Sidley also notes that the GDPR will remain relevant to UK re/insurers despite Brexit, partly because companies must comply a full year before the UK’s expected departure from the EU, but also because UK companies that process data on individuals in the EEA will remain subject to its rules.
One of the key GDPR provisions that Sidley identifies as likely to impact re/insurers is the new ‘one-stop-shop’ mechanism, which ensures businesses processing data across borders will be accountable to a single Data Protection Authority (DPA) in the EEA country of their main establishment.
Additionally, the GDPR will be preserving the Data Protection Directive’s current distinction between ‘data controllers’ and ‘data processors’, which Sidley notes will entail significant repercussions for re/insurers, as they are likely to be considered data controllers.
This classification is due to re/insurers’ roles in determining what data to collect from customers and employees, as well as how it is used. Any companies classed as data controllers will become responsible for complying with the majority of the obligations under the GDPR.
Also pertinent to re/insurers are the higher thresholds the GDPR now requires for obtaining valid consent to process personal data, as affirmative and informed consent must now be freely and clearly given, rather than implicitly or tacitly assumed.
This will affect all active policies and customer materials held by re/insurance companies that have not acquired explicit consent, and will require exhaustive amendments and updates to ensure they meet the new requirements.
Currently, in the UK, the Lloyd’s Market Association (LMA) offers a Core Uses Information Notice, which informs individuals how their personal data is processed by re/insurers and can be cross-referenced to in the notices of re/insurance companies.
In its report, Sidley also points to many other GDPR provisions that are likely to have significant or onerous impacts on re/insurers, including enhanced accountability principles, more stringent security measures, and restrictions on automated processing and profiling.
The report concludes that, whilst the GDPR’s goal of data protection harmonisation across the EEA will eventually reduce administrative costs, the significant policy and administrative changes required to meet new regulations will be very costly for re/insurers in the short-term.
It adds that the re/insurance industry’s recognition of and compliance with the GDPR’s requirements is of great importance, and suggests that companies should immediately begin making the requisite policy, procedural, and technological changes.