GDRP: how the new European Data Protection Regulation will impact the insurance sector

Posted by media on December 12, 2017 at 9:00 AM


The new European Data Protection Regulation (better known by its acronym GDPR from General Data Pro­tection Regulation) came into force in May 2016, but it won't be mandatory to comply with until the following May 2018.

It contains important new developments concerning the consent and rights of physical persons, while introducing new procedures and figures such as the Data Protection delegate.

In this post we would like to highlight which specific aspects of the insurance sector will be affected when the new GDPR comes into force, so that insurers can adapt their processes before this transition period ends.

This post is also available in Spanish.


What changes with the new European Data Protection Regulation?

The Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with the regard to processing their personal data, and on the free circulation of this data repeals the previous Directive 95/46/CE.

This new regulation implements a single law in data protection in the whole European Union, applying the same criteria to all Member States.

However, it doesn't only affect the Member States, since it also applies to processing the data of European citizens outside the Union.

The new European Data Protection Regulation is a complex and detailed text that reinforces citizens’ rights and obliges companies and public entities to adapt to the current digital context.

For the insurance sector, its compliance will translate into a greater transparency that will reinforce its image to consumers.  

The new GDPR reinforces the responsibility of companies to be diligent and to create processes to do so. Otherwise, the fines could reach up to 20 million euros.


The 5 new changes from the GDPR that will affect insurance companies the most

1. New citizen rights

This new norm reinforces the rights known as ARCO (Access, Rectification, Cancellation and Opposition), and it adds new rights in order to protect the data of natural persons.

The new GDPR now establishes as rights:

  • Transparency (art. 12)
  • Information (arts. 13 to 14)
  • Access (art. 15)
  • Rectification (art. 16)
  • Deletion or the right to be forgotten (art. 17)
  • Treatment limitation (art. 18)  
  • Data portability (art. 20)
  • Opposition (art. 21)

These rights will require adapting information systems to provide customers with secure access that allows them to make queries, modifications, selective blocks and data dumps in external devices, for its delivery to other companies or institutions.



2.- Consent must be explicit

The great change that the new European Data Protection Regulation brings is that the consumer must give explicit consent for a company to use his/her personal data.

With the Spanish LOPD law for example, it was enough that consent was tacit, but with the new European Regulation consent must be explicitly expressed and as often as the company analyzes data for different purposes.

Specifically, consent must be “free, specific, informed and unambiguous” and the data controller must be able to prove that the data owner “consented to processing of his/her personal data”.

With the new European Data Protection Regulation, the data controller must be able to prove that the data owner gave his/her explicit consent.

On the other hand, not only sensitive data (such as health, racial origin, genetic data, biometric or religious information) will be protected - but also data obtained from the person when using a service or device (data such as location, traffic, search history, etc).

For these categories companies must comply with some requirements to store this data, since they are guaranteed special protection. Additionally, the consent alone of the interested party is not enough to make the data processing viable.

Under the principle of responsibility, the data controller must apply the adequate measures to prove that consent was given in an appropriate form.

In this framework, insurers must define policies and data processes that respect this requirement of active diligence.

From May 25, 2018 and forward, all the data that policy holders provide to insurers, or that they obtain due to the use that policy holders make of their services, will fall under the new GDPR.

  A key issue: exchanging information between insurance companies and insurance brokers

  Exchanging data between insurance companies and brokers has always been a sensitive question due to the lack of trust in the use of this data.

The European Commission and National Data Protection Agencies will have the possibility to dictate specific norms per sector, that make applying the new European Data Protection Regulation  more viable.

In the case of insurance brokers, regarding the information that they receive from insurers, specific criteria is expected to be established; perhaps along with codes of conduct or quality standards, that will favor brokers by establishing limits to their obligations.

This criteria would help limiting what responsibilities and obligations are of the insurance broker and which correspond to the insurance company.


3.- The privacy impact assessment and privacy by design

New requirements such as the Privacy Impact Assessment or the Privacy by Design will have a special impact on the insurance sector.

The requirement called the Privacy Impact Assessment (art. 35) considers the need to evaluate the consequences in processing personal data.

In the case of sensitive data it will be necessary to develop a plan that contemplates the possible risks. But it will be the responsibility of the company to establish if they should evaluate the risks due to the nature of the data, or due to the quantity of data that they manage.

   In the insurance sector, some examples of data that are currently used by many insurance       companies and that fall within the scope of the new GDPR are biometric data or                         information obtained through services based on geolocation to calculate health insurance       or vehicle insurance.

Regarding the Privacy by Design (art. 25.1) concept, insurers will have to internalize privacy in the process of designing and preparing insurance policies.

This means that from the moment in which applications that process personal data are designed, insurance companies will have to guarantee user privacy.

In sum, data protection should be reflected from the creation phase of any product or service that will receive data from individuals.



4. Data analysis

The insurance sector analyzes large volumes of data to improve decision making or to design products and services.

Data analysis technologies allow to gather large amounts of information, both internal and external, and analyze it to make predictions on user behavior. This way, insurers improve their knowledge about their customers and can personalize their offers.

Although the new European Regulation does not specifically address questions about the analysis of large volumes of data, some practices can have negative consequences, especially if users are not aware of it.

In this sense, companies must keep in mind enabling elements that the new Regulation plans for, such as the client’s explicit consent and his legitimate interest.  

Thus, the new norm contemplates measures such as the right of people to oppose to decisions about their personal data, if those decisions are based solely on an automated analysis.

  The cyber risk insurance in the General Data Protection Regulation

The application of the European Data Protection Regulation will be the catalyst for developing cyber risk insurance in the European Union. These insurance policies were created in the 90s in the United States with the goal to ensure companies are in the digital era.

There are three articles related to cyber risk insurance in this new regulation:

  • Article 33: it establishes the obligation to notify the violation of personal data to the competent controlling authority with a maximum of 72 hours since the problem was discovered.

    Jonathan Kewley, lawyer at Clifford Chance London, recently acknowledged in a  conference organized by the IE’s Center for Insurance Research that most of his clients would not be prepared to respond to a regulator at that time.

  • Article 34: it also requires to notify affected parties with the violation of their personal data. A process whose cost could have a strong impact on any company´’s balance.

  • Article 83: establishes harder sanctions that were already provided in the Spanish Organic Law on Data Protection, and considerably increases fines, which could reach up to 20 million € or 4% of the company's total annual volume.

5. The role of the data protection delegate

One of the main changes introduced by the new GDPR is the figure of the data protection delegate (DPD).

It is a natural or legal person that all companies must designate, and whose designation must be communicated to the competent authority.

In Spain, the delegate will maintain the communication with the Spanish Agency for Data Protection (AEPD) and will ensure compliance with the new regulations in the company.

The data protection delegate is regulated in Article 37.1 of the Regulation, which establishes which organizations should name a DPD:

  • Authorities and public bodies.
  • Organizations that, as a main activity, follow people systematically and on a large scale, or that process special categories of personal data at a large scale.

The AEPD, in its 9th annual open session, did not want to comment on whether the law that will replace the current Spanish LOPD will contain some type of list of organizations or sectors obliged to name a DPD.

However, the AEPD presented a list of organizations, by way of example and not exhaustive, where insurers and reinsurers appear.



Currently, handling large amounts of data concerns citizens, who are increasingly aware of the handling and protection of their personal data.

For that, this new European Data Protection Regulation is necessary to count on a norm that adapts to the new digital world and to the new security requirements from the internet.

The application of the GDPR implies that all companies should revise all their procedures, which not only means to review how many databases they have, but also the way in which data is obtained and processed.

Additionally, companies should study the way they work, and analyze their entire security environment to be protected.

In order to maintain security and avoid that data processing violates the new regulation, the data controller or responsible party must evaluate the inherent risks to said processing and apply measures to mitigate it, such as encryption.

These measures must guarantee an adequate level of security, including confidentiality, taking into account the technical needs and the cost of its application with respect to the risks and the nature of the personal data that must be protected.

In the case of insurance companies, the implementation of the new GDPR will imply the added value of transmitting transparency to their clients thus preventing their reputation from being compromised, and of course also the possible economic sanctions.

This post is also available in Spanish.

New Call-to-action

Topics: GDPR

Blog Subscription

Recent Posts