GDPR-Think-Insurtech

Insurance obligations under the GDPR

GDPR Data subject rights 

When you provide data that identifies you such as personal email, date of birth, credit card details, then you are a data subject. You always own your personal data and have important rights as to how it is used. 

Personal Data - article 4 &1

-Individual identity
-Personal information
-Banking & Tax data
-Personal life (professional status, salary, etc.)
-Location - geolocation, ip address
-Sensitive data (Article 9) - medical data - digital print - ADN
-Legal data (Article 10) - offences - convictions
-Data concerning minors (Article 8)

You have rights and you can exercise them:

The right to be informed (article 15,16 & 20)
The right of access (article 15,16 & 20)
The right to rectification (article 15,16 & 20)
The right to restrict processing (article 19)
The right to object (article 21)
Rights in relation to automated decision making and profiling (article 4,7 - Consent: the manifestation of will, specific, informed and unambiguous expression of will by which the data subject signifies his or her agreement, by means of a declaration or a clear positive act, to personal data relating to him or her being processed.)
The right to erasure (also known as the right to be forgotten - article 19)
The right to portability

The processing of personal data must be lawful, so consider the following: 
When consent is used as a basis for processing, it should be clearly given for a specific purpose.
If there is no legal or contractual reason to keep personal data, it must be deleted if the data subject requests it.
You need to always consider whether the legitimate interests of the data subject are being properly respected.

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data: 

(a)Consent: the individual has given clear consent for you to process their personal data for as specific purpose.
(b)Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c)Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d)Vital interests: the processing is necessary to protect someone’s life.
(e)Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f)Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Be aware that extra care and protection is required for sensitive personal data such as race, ethnic origin, politics, religion, trade union membership, health, sex life, sexual orientation, biometric and genetic. 

For data controllers and data processors 

+ Securing processing (encryption, pseudonymisation, confidentiality, integrity, availability)
+ Notification of violation (inform the supervisory authority in ls 72 after detection with a detailed report)
+ Remediation

Someone’s information may be shared for security reasons, provision of services and selling products or services, if done lawfully.
An online service holding sensitive data such as passport details and medical information is highly intrusive on an individual’s privacy.
Remember that data processors are now also directly liable for non-compliance and for data breaches.
There can be multiple data controllers during a transaction.
You must report a personal data breach if there is a risk of harm to the data subject’s rights or privacy.
Significant fines and sanctions for noncompliance are imposed for failing to comply and reputational damage can cause significant losses for organisations.

What you should consider?

Do I know how my role impacts the protection of an individual’s personal data?
Which, of the processes I carry out, relate to the compliance of data protection regulation?
How do I contribute to the prevention of data breaches?
What are my firm’s policies, processes and controls which help protect all personal data?

If you are unsure of any of the above questions, please talk to your line manager and seek clarification. 

If you think more can be done to protect personal data within your organisation, then let someone know. 

Remember all staff who process/control personal data are expected to ensure compliance with the regulation, so make sure you know your responsibilities, internal policies, practices and processes that relate to data protection.