The new General Data Protection Regulation (GDPR) represents a game-changer in terms of data protection law across the EU and must rapidly become a top priority for the “data-heavy” insurance sector. The GDPR paves the way for greater data protection harmonisation throughout the EU, putting an end to the existing patchwork of data protection rules and seeks to enhance free movement of data within the EU.  At the same time the GDPR significantly increases the penalties for non-compliance. A wide range of major changes designed to address the significant personal data risks associated with online activities as well as other key privacy risks will be introduced.

The final text of the GDPR was agreed on 15 December 2015 and is expected to be formally adopted by the European Parliament and Council soon. The Irish insurance industry can expect the GDPR to be directly enforceable in Ireland from early 2018 and we will continue to provide updates on developments impacting on the industry as 2016 progresses.

Although the final text of the GDPR was finalised only recently, the following are some of the key points for insurance firms to be aware of:

1. Increased Fines: companies breaching the new rules could face penalties of up to 4% of global turnover or €20 million (whichever is higher).
2. One-Stop-Shop: companies with operations in more than one Member State will be regulated by the Data Protection Authority in the Member State where they have their “main establishment”, meaning that (re)insurance companies and intermediaries will generally only have to deal with one supervisory authority.
3. Territorial Scope: companies operating and processing personal data in the EU market, regardless of whether or not the company is physically in the EU, will be subject to the GDPR. The same will apply to any data controllers or data processors established in the EU regardless of where the personal data they process is located.
4. Data Protection Officer: it will be mandatory for companies to have a data protection officer (DPO) in certain circumstances including where:
     · Core activities of the controller or processor involve regular monitoring of data subjects on a large scale; or
     · The controller or processor handles a large scale of a special categories of data and data relating to criminal convictions and offences.

   SMEs (likely to include most intermediaries) are exempt from this obligation to appoint a DPO, unless data processing is core to their business.

5. Consent: there are changes to the nature of consent to be obtained.  It will be mandatory for consent to be freely given, specific, informed and unambiguous. Silence, pre-ticked boxes or inactivity will not constitute consent. The validity of consent will expire once the purpose for which it was sought ceases.
6. Extension of Liability: responsibility for privacy breaches extends to data processors (e.g. brokers) so both the data controller and data processor will be jointly liable for any damages.
7. Right to be Forgotten: individuals will have the right to request the deletion of data relating to them which is inaccurate, irrelevant or outdated.

The Irish insurance sector has come under particular scrutiny by the Irish Data Protection Commissioner in recent times (including most recently in relation to the use of telematics in insurance products) and this is certain to intensify with the GDPR fast coming down the tracks. This new regulation also forms part of a wider regulatory agenda given that the Central Bank of Ireland has clearly identified cybersecurity and technology risk as a key area of supervisory focus (read more here).  While (re)insurance companies and others will have two years to get themselves up to speed on the requirements and obligations under the GDPR, this may take some time so planning will be key in order to meet the deadlines.

As a final note, it is worth adding that although the GDPR poses compliance challenges for the insurance sector, it also presents opportunities in terms of the potential for further growth in the cyber insurance market. 

Contributed by Leo Moore & John Magee

Follow us on Twitter @WFIDEA