Given that insurance products and policies rely on personal data for underwriting and claims purposes, the insurance industry worldwide must be mindful of the EU's General Data Protection Regulation (GDPR) requirements. Given that insurance products and policies rely on personal data for underwriting and claims purposes, the insurance industry worldwide must be mindful of the EU's General Data Protection Regulation (GDPR) requirements. (Photo: iStock)

Many people affiliated with a multi-national insurance company or reinsurer consider the fast-approaching deadline for compliance with the General Data Protection Regulation (GDPR) to be old news.

But that's not true of the entire insurance industry. It is less likely that an independent broker — one who has just placed a policy of insurance for a resident of the European Union who purchased property in the United States — realizes the urgency of becoming acquainted with the GDPR.

Pending regulatory impact

The EU adopted the GDPR in 2016, a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.

More specifically, the GDPR establishes the rights of EU residents with regard to how their personal data is collected, processed, shared and retained, which begs the question: Does the GDPR apply to insurance-related businesses whose reach is limited to risks within the U.S.?

The answer is an unequivocal yes.

Still, consumer-facing companies worldwide, including those in the insurance space, are struggling to understand how the GDPR will impact business operations and the extent of their compliance obligations. As the May 25, 2018 deadline for compliance is fast approaching, the following answers to some frequently asked questions about the GDPR should prove helpful.

What you need to know

Question: My company doesn't insure properties located inside the EU. Do I still need to be concerned about the GDPR?

Answer: Yes. The GDPR applies to all cases where any one of the following are based in or operate from the EU:

  1. The data controller (the company that collects EU resident data);
  2. The processor (the company that processes data for the data controller, such as a website host); or
  3. The data subject (the EU resident).

There is no minimum threshold for compliance; if an organization collects data from a single EU resident, it needs to treat that data in compliance with the GDPR.

In more basic terms, if an EU resident owns or rents a home outside the EU (say, in Arizona), and has insured that property by way of a domestic broker or through a U.S. insurer, personal information has, no doubt, been collected. That data must be GDPR compliant.

Question: What if I haven't collected "personally identifiable information (PII)," just a name, e-mail address, and IP address. Do I still have to comply?

Answer: Again, the answer is yes. The GDPR focuses on "personal data," which is different from and much broader than PII. That being said, because the insurance sector is particularly data focused, the GDPR compliance mandate can be easily triggered.

In fact, given that insurance products and policies rely on personal data for underwriting and claims purposes, those in the industry must be especially mindful of the regulation's requirements.

Question: Can I just get my EU customers to waive GDPR compliance?

Answer: No. GDPR rights cannot be waived, though one way to collect, process or use a data subject's personal data is by obtaining consent.

Something else to consider: The GDPR creates a "fundamental right" for EU residents to control how their data is collected, processed or retained. This is not an "absolute right" in the sense that businesses have some right to collect or retain personal data if they obtain prior consent, require the information to fulfill a contract with the data subject, or need the information to comply with a legal obligation (such as a tax or regulatory reporting obligation).

Question: If I include a provision on my website privacy policy implying consent and clients continue using the website, is that sufficient? (There's a link to the privacy policy at the bottom of my website that no one except my lawyers seems to know about.)

Answer: No. Data subjects must take some affirmative action to indicate their consent, after you have fully informed them why you are collecting their data, how you will use it, who you will share it with, and how long you will keep it.

This can be in the form of an unchecked consent box (note: you cannot pre-check it for them) or a text field where they can "digitally sign" or enter the words "I consent." All consent must be verifiable, so it is important to maintain records (date, time, IP address, etc.), and keep in mind that consent can be withdrawn.

Question: What if I decide to accept the risk of non-compliance and "roll the dice" that EU officials won't target me for an enforcement action? What's the potential penalty?

Answer: GDPR sanctions will be severe.

You may be given a written warning for first or non-intentional cases of non-compliance, but you can also be fined the greater of 20,000,000 Euro or 4% of your annual worldwide turnover, depending on the type and severity of the violation.

Question: It sounds like my company has to comply. Where do I start?

Answer: There are several steps you can (and should) take right away to move toward GDPR compliance. They include:

  • Data mapping, or identifying where and what type of data is stored within your organization);
  • Segmentation, which means segregating EU data from other data subjects;
  • Securing client consent will involve reviewing the processes in place for this pivotal step;
  • Training employees on the GDPR-related documents and mandates;
  • Distributing written internal policies to demonstrate your commitment to compliance; and
  • Monitoring accountability by appointing an individual within in your organization whose responsibilities include auditing data governance, privacy and regulatory compliance.

Of course, seeking experienced counsel is always recommended.

Just Remember: Time is of the essence. The deadline for GDPR compliance is May 25, 2018.

Mark B. Robinson is founding partner of Michelman & Robinson, LLP, a national law firm with offices in Los Angeles, Orange County (California), San Francisco, Chicago and New York City. Mr. Robinson is an insurance industry specialist who primarily represents retail brokers and agents in all aspects of their businesses. He can be contacted at (310) 564-2670 or mrobinson@mrllp.com.

Scott Lyon is also a partner at M&R. He helps clients evaluate and implement effective information security practices. Likewise, he provides advice on best practices in the event of data breaches. Mr. Lyon can be contacted at (714) 557-7990 or slyon@mrllp.com. Please visit http://www.mrllp.com for more information.

 See also:

NOT FOR REPRINT

© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.