What is the purpose of this commentary?
This document aims to help preparing for the application of the “Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)” – commonly referred to as the “General Data Protection Regulation” or “GDPR”. The GDPR has been published in the EU’s Official Journal, and will apply from 25 May 2018 throughout the European Economic Area (EEA).
Like the Directive which it repeals, the GDPR is cross-sectoral and so has not been drafted with the insurance sector specifically in mind. This commentary has been prepared specifically to identify relevant provisions of the new legislation as they apply to Bipar members: i.e. intermediaries in the widest sense of the term: (re) insurance brokers, agents and Independent Financial Advisers (IFAs).
All intermediaries, whether large firms or small offices, use personal data to provide a variety of services to clients: to make quotations, arrange insurance cover and offer other financial products, manage claims, manage the client relationship, manage and conduct internal conflict checks. They also use this data for marketing and client profiling purposes, offering renewals, research and statistical analysis, crime prevention, credit assessment and other background checks, internal record-keeping, and meeting legal or regulatory requirements. Arranging insurance and other financial product coverage may require disclosures of personal data to insurers and other service providers such as consultants, market researchers, quality assurance companies, other companies in a corporate group, industry regulators, auditors and other professional advisors. This may require transfers of certain categories of personal data outside the EEA. Because of these activities, intermediaries are frequently “controllers” or “processors” of personal data and, thus fall within the scope of the legislation. Although data protection compliance is not new, the GDPR clarifies roles and responsibilities. Wherever possible this commentary highlights aspects where there is scope to alleviate the burden on small and medium sized enterprises.
To whom is this commentary of interest?
This commentary explains data protection law in light of the changes brought about by the GDPR. First, it summarises the legal context which has resulted in the adoption of the GDPR; it then describes and comments on key requirements of the GDPR as relevant to the insurance intermediary sector, as well as emphasises new duties for intermediaries; by way of conclusion and to help intermediaries prepare for the new rules, a checklist summarises the legislation and its application to intermediaries.
This commentary is not legal advice and, therefore, for specific questions, intermediaries should take their own advice.