Insurance DSI: What is the impact of the GDPR on my SI?

What is the GDPR?

THE General Data Protection Regulations (GDPR) is a European regulation that governs and unifies the protection of personal data throughout the European Union. Coming into force on May 25, 2018, it provides a list of minimum bonds and responsibilities for businesses, concerning the information they collect on their customers, their prospects and individuals in general.

This law, which has partially replaced the Data Protection Act and the recommendations of Cnilalso gives a broader definition of what personal data is. Location information, IP address or even the cultural identity of an individual can thus be considered as his private life. In parallel, European citizens have new rights which they have the possibility of asserting with companies.

Consequently, the General Data Protection Regulations have a significant impact on insurance companies, which must comply with certain obligations and set up specific procedures to comply with the law.

New obligations for insurers

The compliance of insurance companies in the first place, by respecting certain obligations inherent in the GDPR.

Data processing responsibility

THE European data protection regulations aims to empower companies as “treatment managers”. Thus, they have the duty to prove to the CNIL that they do respect the law in force.

Sensitive data collection implies the explicit consent of the persons concerned. In the event of control of the National Commission for Data Protection, an insurance company must therefore be able to present proof of this consent or a legitimate reason.

For example, harvesting health data can be essential to safeguard a person's vital interest or to meet certain obligations.

Limited storage of personal data

Before the entry into force of the General Data Protection Regulations, insurance players were not subject to any time limitation for the conservation of customers and prospect data.

But things have changed: now they have the obligation to remove the personal information From any prospect whose last contact dates back more than 3 years and which has not signed any insurance contract. Companies must also erase data from customers that have ceased any contractual relationship for at least 10 years.

Respect for data finality

When collecting data, their purpose must be clearly determined, explicit and legitimate. Thus, the Customer or Prospect agrees that his information is used for a very precise purpose and kept only for the duration necessary for treatment. The harvested data cannot therefore be exploited later for another purpose.

Holding a treatments register

THE GDPR requires the creation of an automated treatment register, in which all the processing carried out on customer and prospect data is recorded. It must be updated regularly in order to offer a coherent overview of the various information flows, but also the storage of these.

New rights for customer and prospects of insurance companies

If the GDPR has brought its share of bonds for insurers, the European regulation also grants new rights for customers and prospects.

They concern in particular the restitution and deletion of personal data. On request, a customer may thus require to receive a file containing all the data concerning him. The insurance company must also allow it to easily modify its personal information.

In addition, customers and prospects have the possibility of requesting the definitive deletion of their data at any time. They are therefore not obliged to wait for the deadlines set by law, namely 3 years after the last contact for prospects and 10 years after the end of the contractual relationship for former customers.

However, this information should not be essential for the operation of an in progress insurance contract. In addition, insurers are obliged to keep the data used for the traceability of the funds, as part of a financial investment.

Data security

There Securing personal data Another major axis of the GDPR is, which is particularly concerned, companies in the insurance sector. Indeed, the latter are led to store a certain number of information, linked in particular to the subscription of contracts.

Insurance companies must therefore ensure that this data benefit from a sufficient level of protection, for the entire duration of activity of a contract. For example, the implementation of the HTTPS protocol and the encryption of digital storage spaces are among the essential measures to guarantee satisfactory security.

If, despite all the precautions of the insurer, a security problem would cause the flight or hacking of certain data, the company would be obliged to warn the CNIL, but also all the customers and prospects concerned. It should then precisely describe the circumstances of the incident, as well as the exact nature of the lost data.