Friday Highlight  

Five questions to ask your insurer about GDPR

Five questions to ask your insurer about GDPR

Did you hear the joke about two business travellers who meet in an airport lounge? 

One says to the other: “Can you recommend a GDPR expert?” Her companion thinks for a moment and says: “Yes.” “Great,” she says, “can you give me their details?” “No,” says her friend.

The General Data Protection Regulation (GDPR) came into force on 25 May.

At a time when big technology companies are under renewed scrutiny about what they do with our data, the need for new controls is clear. GDPR aims to empower citizens’ rights to data protection, particularly the processing of that data by companies and organisations, strengthening their obligations to the individual.

Insurance companies are among those that should be prepared for the new regulatory regime.

The challenge is to communicate the impact on customer relationships simply, minimising disruption and ensuring customers feel that their service provider has their best interests at heart.

Some will be better than others, so what should you be asking your insurer? 

1.    What personal data are you processing about me?

Customers provide deeply confidential details as part of the application process to satisfy existing know-your-customer regulations and to help insurers understand their client’s objectives.

Ask your insurer:

  • What personal data of yours are they processing?
  • How have they updated their terms and conditions and application forms on data protection?

2.    How is my data used?

Financial services providers are constantly targeted by fraudsters.

Providers of encryption technologies are having to keep up with hackers deploying increasingly sophisticated algorithms to access sensitive data. 

GDPR requires financial services providers to meet the highest standards of data security when it comes to transferring your data to third parties, such as custodian banks or other service providers. 

Ask your insurer:

  • What, beyond the primary agreed purpose, do they do with your data?
  • Should they provide you with a disclosure mandate to satisfy professional secrecy laws?
  • Can they ensure that any personal data transferred is only used for the purposes that the transfer is intended?
  • Are they compliant with the necessary EU regulatory standards where your data is shared with third parties outside of the EU, regardless of their jurisdiction?

3.    Do you have any procedures in place in case of data breach? 

Customers should know what systems are in place to inform and protect them in case of a data breach.

Ask your insurer:

  • What procedures are in place to inform you of data breaches?
  • What communications and pro-activity can you expect in case of a data breach?

4.    What are my rights over my personal data?

Your insurer should be able to explain to you your rights over your personal data.

The following questions are key to help you understand them and will enable you to build trust with your insurer.

Ask your insurer:

  • For how long can they hold your personal data after a commercial relationship has ended?
  • What regulation, e.g. anti-fraud, anti-money laundering or anti-terrorism, requires them to keep your personal information for as long as they do?
  • What rights do you have to your data, such as your right to be informed, forgotten, rectify, object, or restrictions on third party sharing?

5.    Do you have a Data Protection Officer role in place? 

A key question you should ask your insurers is whether they have met GDPR’s requirement to appoint a Data Protection Officer (DPO) to control how information is used, stored and shared with third parties.

This encompasses the creation and management of a personal data register, built around the new GDPR requirement, explaining: the objective of the data processing; its legitimacy; appropriateness; accuracy; security; storage and data minimisation principles.

Ask your insurer:

  • Have they appointed a DPO?
  • Will the DPO monitor compliance with the regulation, provide advice, and cooperate with the Data Protection Authority and act as its contact point?

The best insurers will have DPOs, demonstrating they understand the aims of the regulation and are truly focused on their clients’ best interests.

Alexandre Mollard is head of compliance at Lombard International Assurance