The body has issued a reminder to its members of the need to comply with the EU’s General Data Protection Regulation (GDPR), which will begin to apply on 25 May.
In an overview document (1 page / PDF), Insurance Europe said data processing was at the heart of the insurance business and that this means GDPR will have a significant impact on insurance companies.
Data protection expert Laura Gillespie of Pinsent Masons, the law firm behind Out-Law.com, said risk management and transfer is central to client-facing insurance business.
"Insurers must have their own houses in order in preparation for GDPR, which becomes law in a matter of days,” Gillespie said. "The guidance issued by Insurance Europe helps to highlight the central requirements within the regulation. Transparency is key – ensuring that the people insurers engage with understand how their information is being used. The accountability principle dictates that a clear documented process is in place demonstrating how compliance is achieved."
"Should the worst happen, of course, there is the new requirement on the notification of certain breaches to be made within 72 hours of their occurrence. With insurers potentially holding a broad range of personal data, it is imperative that notices, systems, policies and procedures are updated in preparation for GDPR becoming law,” she said.
The overview includes a reminder to insurers that they must abide by the GDPR when processing their customers’ personal data and that additional restrictions and safeguards apply to the processing of 'special categories' of data, such as information about individuals' health. Insurance Europe said that insurers remember that the performance of an insurance contract cannot be used as a legal basis to process special categories of data.
In its document, the federation also highlighted that insurers must provide customers with information about the processing of their personal data, including who is processing their personal data, and why, including when personal data is obtained from third parties in situations such as a road traffic accident.
Like other businesses, insurers must ensure that any third-party supplier they use, such as a cloud service provider, has controls in place to meet GDPR requirements. Large insurers may need to appoint a data protection officer to monitor and control compliance with the new laws.
Insurance Europe's paper also highlighted EU rules on data transfers, data protection by design and said insurers might choose to automatically delete data when the period for which it needs to be retained is over.
If insurers are processing data in a way which poses a high risk to an individual’s rights and freedoms – for example processing health data on a large scale – they should carry out a data protection impact assessment, said Insurance Europe.
The federation has also created a template for insurers to notify their supervisory authorities in the event of a data breach.
Insurance companies and any other businesses which fall foul of GDPR could find themselves hit with a fine of up to €20 million or 4% of their global, annual turnover, whichever is highest.