GDPR for Insurance Industry

Data protection will need to be on the boardroom agenda.

This is a milestone moment in the world of data protection law. On 15 December 2015, after 3 years of detailed discussions, political agreement was reached between the European Commission, EU Parliament and the Council of the EU on the compromise text of the General Data Protection Regulation. The GDPR will replace the Data Protection Directive 95/46/EC and therefore the Data Protection Act 1998 in the UK. The GDPR will be formally adopted by the EU Parliament and the Council of the EU in the coming weeks when it is published in the Official Journal of the European Union. Twenty days later, the GDPR will be in force. It will not take effect for a further two years. We anticipate that the GDPR will take effect some time during the first half of 2018. 

It is, however, early days. We await further guidance and local legislation where derogations to the GDPR are permitted. We will keep you updated as the landscape evolves. 

This guide has been written to provide the insurance industry with an overview of the impact we expect the GDPR to have. We have looked at each of the main provisions and compared them against current law and best practice guidance from the Information Commissioner's Office. We have then considered the impact that these key changes might have on the insurance industry and advised on the practical steps that can be taken now in order start the process of ensuring GDPR compliance before the two year implementation period comes to an end.


The GDPR from an Insurance and Financial Mediation Perspective

The Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the so-called General Data Protection Regulation or GDPR) will impact all firms and persons who are dealing with "personal data", including insurance and financial intermediaries.

The GDPR is a cross-sectoral text. It has not been drafted with the insurance or financial sector in mind, but it applies to the insurance and financial sector, including their intermediaries.

During the adoption process of the GDPR, BIPAR, in cooperation with its member associations, informed the EU legislators (European Parliament, Council of the EU) as well as the European Commission and the Supervisor, about requirements where the specificities of the insurance and financial sector needed to be taken into consideration to ensure that the stability and security of policyholders' insurance contracts will not be jeopardised. Some of our points were taken into consideration but the GDPR remains a complicated piece of regulation.

The intermediary sector is serious about the protection of its client data. In order to help intermediaries prepare for the new rules that will apply throughout the EU with effect from May 2018, BIPAR commissioned a Commentary on the GDPR from Steptoe & Johnson LLP, which clarifies data protection law in light of the changes brought about by the GDPR. Isabelle Audigier, BIPAR legal Director, and François Lestanguet, policy advisor, led BIPAR participation in this work.

Responsibility for compliance with all relevant EU and national legislation rests with individual firms and we hope that this Commentary will encourage market parties and also national regulators and data protection supervisory authorities to develop together a realistic framework and system of data protection in the EU.