Did you hear the one about two wealthy travellers who meet in an airport lounge? One says to the other: “Can you recommend a GDPR expert?” Her companion thinks for a moment and says: “Yes.” “Great,” she says, “can you give me their details?” “No,” says her friend.
The General Data Protection Regulation brings legislation into line with the impact of new technology on society and will come into force on 25 May. At a time when big technology companies are under renewed scrutiny about what they do with our data, the need for new controls is clear. GDPR aims to empower citizens’ rights to data protection, particularly the processing of that data by companies and organisations, strengthening their obligations to the individual. The new rules reach into every corner of our increasingly online-led lives, doubtlessly revealing the extent to which we have all blindly stumbled into letting our personal data go far and wide.
Financial services companies, alert to the sensitivities around personal data, should be amongst the most prepared for the new regulatory regime. The challenge is to communicate the impact on customer relationships simply, minimising disruption and ensuring customers feel that their service provider has their best interests at heart. Some insurers will be better than others, so what should customers be asking them?
1. What personal data are you processing about me?
Insurers should be able to tell individuals what data they are processing on them. Customers provide deeply confidential details as part of the application process to satisfy existing know-your-customer regulations and to help understand the client’s objectives. The best financial services providers will have anticipated GDPR’s requirements in this area and updated their terms and conditions on data protection and application forms on data protection.
2. How is my data used?
Given the depth and value of data insurers and wealth managers hold on their clients, how data is used is a vital element of ensuring the client fully understands their relationship with their financial services providers. They should be able to tell clients what, beyond the primary purpose of its provision, they do with the data. For example, information may have been originally provided to open an equity portfolio account, and satisfy anti-money laundering regulations; but what if that data is also used to target the customer with other products?
In this regard, transfer of data is perhaps the most pernicious issue between insurers and their counterparties under GDPR. When transferring customer data to third parties, such as custodian banks or other allied service providers, insurers should obtain disclosure mandates from their clients for satisfying professional secrecy law, and also ensure that any personal data transferred is only used for the purposes that the transfer is intended from a data protection law perspective. This is particularly important when it comes to cross-border data transfers. Where data is shared with third parties outside of the EU, insurers should ensure that they – and their counterparties – meet the necessary EU regulatory standards, regardless of their jurisdiction.
This is an element of GDPR which is especially good for individuals worried about the security of client data. Financial services providers are constantly targeted by fraudsters, creating an arms race between providers of encryption technologies and those deploying increasingly sophisticated brute-force mathematical algorithms to access sensitive data. GDPR requires financial services providers to meet the highest standards of data security; Lombard International Assurance operates the highest standards of information security and is ISO 27001 certified.
3. Do you have any procedures in place in case of data breach?
Holding data securely is one thing but preparing for the worst is especially important when an insurer suffers a data breach. Clients should ask their insurers what procedures are in place for informing them of data breaches, particularly what communications and proactivity they can expect from their insurer.
With this in mind, Lombard International Assurance has updated its Data Protection Policy, including new requirements for personal data breaches notification to the Data Protection Authority.
4. What are my rights over my personal data?
Where insurers can build trust with their clients is in explaining their rights over personal data, strengthening the relationship and demonstrating expertise. Explaining, for example, how existing regulations, such as anti-fraud, anti-money laundering and anti-terrorism regulations, require financial services companies to hold personal data for determined periods after a commercial relationship has ended is the first part of strengthening trust. The second part is in clarifying the rights clients have over their personal data – whether it’s access to what is held, or rights to be informed, forgotten, rectify, object, restriction on third party sharing, erasure or portability.
5. Do you have a Data Protection Officer role in place?
In essence, the questions clients should ask of their insurers revolve around the way in which they have met GDPR’s requirement for businesses to create a new role: that of the Data Protection Officer, (DPO) who controls how information is used, stored and shared with third parties.
DPOs should be responsible for informing the insurers who process personal data of their obligations, to monitor compliance with the regulation, provide advice, and cooperate with the Data protection Authority and act as its contact point. This encompasses the creation and management of a personal data register, built around the new GDPR requirement, explaining: the objective of the data processing; its legitimacy; appropriateness; accuracy; security; storage and data minimisation principles.
The best insurers will have DPOs, demonstrating they understand the aims of the regulation and are truly focused on their clients’ best interests.
Written by Alexandre Mollard
Head of Compliance, Lombard International Assurance
Interested in the subject? Get to know more about our Information Security measures:
Lombard International Assurance has been awarded the ISO 27001:2013 certification for their Information Security Management Systems.