Understanding GDPR Impact on Insurance Industry
Gain insights into the main provisions of GDPR and its impact on the insurance sector. Explore data processing accountability, consent requirements, breach notification rules, and key lawful processing principles under the GDPR.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Insurance Institute of Southampton CII GDPR: The Insurance Industry Perspective Will Richmond-Coggan, Data Privacy Partner, Pitmans Law 6 March 2018
Learning outcomes 1. Understand the main provisions of the GDPR 2. Understand what impact GDPR is likely to have on businesses 3. Understand how the insurance industry will have to adapt, and how the scope is broader than just cyber cover.
GDPR: The Insurance Industry Perspective We re lawyers, so we always start with a disclaimer. The guidance that follows is in the nature of general information about the subject matter concerned it is invariably the case that detailed legal advice requires a lot of fact-sensitive information that we will not have while discussing points today. As such, no reliance should be placed on the guidance given in this talk without first taking such detailed advice. Nevertheless, feel free to ask questions, even those embarrassing ones on behalf of your friend who couldn t make it it will help us to make sure that the content is as relevant as possible!
General overview Understanding the main provisions: Direct accountability of data processors Data controller/processor distinction Consent requirements toughened up freely given, specific, informed and unambiguous indication by a statement or clear affirmative action Territorial extent The Global Data Protection Regulation? Breach notification and record keeping Mandatory notification, document intensive
Main Provisions: Personal Data Now includes identification numbers, location, online identifiers and factors specific to the individual's physical, physiological, genetic, mental, economic, cultural or social identity. Still includes information about activities when linked to an identifier Sensitive data now includes genetic and biometric data Criminal records now occupy a separate category and are treated distinctly
Main Provisions: Lawful processing Contract necessary for the formation or performance of a contract between the controller and subject Obligation necessary for performance of a legal obligation, or discharge of a statutory function Vital interests to protect the vital interests of the data subject or someone else Special data additional conditions must be satisfied to be able to process special data
Lawful processing (cont.) - Consent Consent must be freely given, specific, informed and unambiguous by some form of clear affirmative action It cannot be signified by inaction, silence or be a pre- condition to other actions It must be as easy for a subject to withdraw consent as to give it form and substance Remember that processing under consent gives the data subject wider rights than other lawfulness gateways
Main provisions: Risk Based Identify each of the processes of your business which engage personal data Do you process as controller or processor what is the lawfulness gateway? Is the processing proportionate to the objectives? What measures of safeguarding are appropriate anonymisation/pseudonymisation; encryption; permissions; policies
Main Provisions: Breach notification Now mandatory for breaches: leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data Notification must be made within 72 hours of detection Data subjects must also be notified without undue delay where the breach poses a high risk to their rights Think about the steps that will need to be taken in those 72 hours processes need to be in place already
Before we move on Any Questions?
The Impact on Businesses? Getting ready with D P R
Business Impact: Data discovery Headline points: What personal data is held Identification of an individual or information about activities Where should the data be located Think about local drives, servers, cloud services, portable where else is it actually Think about personal devices, webmail, pen drives, offshore and data flows Internal/external, compliant processing chains, cross-border
Business Impact: Policies for Compliance Headline points: Compliance with standards Cyber Essentials, ISO 27001, ISO 27005, field-specific GDPR-specific procedures Consent management, privacy protection systems, notifications Policy and process review System capabilities, gap analysis, develop and implement Training and awareness at all levels Baked in compliance privacy by design and by default
Business Impact: Records Headline points: The accountability principle Not enough just to be compliant any more! Data supply chain audits / tendering Credible answers will be required (with details to back them up) Due diligence on sale or acquisition Already seeing data protection assuming far greater importance Mandatory breach notifications ICO notifications require detail about the business s safeguards and risk assessment referable to the breach
GDPR & Insurance Broader market thanks to data processors being directly liable. Existing cover is fragmented Crime, K&R(?), Business Interuption, PI, Cyber is cover comprehensive and which policy answers specific issues? Scale of cover that may be required? Fines (we had to get to those eventually!) Mitigation for victims Compensation for damage and/or distress
OK, thats it! Any Questions?
With Pitmans Law you can be assured of the quality of advice and service you demand from a city law firm but with a distinction. The courage to stand apart, to think and act personably, with an uncompromising focus on achieving outstanding client outcomes. We say what we mean, matching our behaviours to our words. Established for over 150 years, Pitmans Law is headquartered in Reading with offices in London and Southampton. The lower overheads of a regional office ensure we can provide city quality legal advice at a competitive price to deliver exceptional value for our corporate and private clients locally, nationally and internationally. Pitmans provides legal advice to address our clients needs across a wide range of industry sectors and specialisms including particularly strong specialist teams in pensions advisory, real estate, dispute resolution as well as corporate and commercial law. Our clients draw confidence from the top tier recognition Pitmans achieves in the industry benchmarking directories, Legal 500 and Chambers UK. Reading, London, Southampton Pitmans Law is the founding UK member firm of the global legal network, Interact Law. Contact us T +44 (0)345 222 9222 E law@pitmans.com
