GDPR Perspectives for the ReInsurance Sector Eoin Caulfield

GDPR Perspectives for the Re/Insurance Sector Eoin Caulfield Partner, William Fry Insurance John O’Connor Partner, William Fry Technology Law and Data Protection November 2017 williamfry. com

GDPR – regulatory insurance perspective • We’ve been here before! –Solvency II, IDD, PRIIPs etc. –Product oversight and governance –Policyholder as “data subject” • Overlapping regulatory environment –Central Bank of Ireland –Data Protection Commissioner’s Office –Competition and Consumer Protection Commission 2

As good as your weakest link – insurance product lifecycle PRODUCT DESIGN USE OF AGGREGATE DATA, PRICING, RESERVING REINSURER INTERACTIONS MARKETING AND DISTRIBUTION Life insurance Non-life insurance Health insurance Reinsurance POLICY SUBMISSION AND QUOTATION Data subject = policyholder CLAIMS ASSESSMENT AND PAYMENT Elements in the chain: • Data controller • Data processor • Both ENDORSEMENTS, MTAs, RENEWALS 3 PREMIUM COLLECTION, FEES AND COMMISSIONS UNDERWRITING

GDPR – CBI and traction within industry • Central Bank of Ireland • Cross-sectoral themed review on outsourcing – questionnaire references data use • Insurance Directorate briefing (24 October) – operational risk w. r. t. data / cyber etc. • Traction and Board level involvements –Different impacts – life, non-life, health, reinsurance –Running theme • Disruption of existing operational models (in industry reliant on data) • GDPR as opportunity to unlock value • Direct marketing – e. g. ‘re-permissioning’ / opt-ins • Future proofing – Insure. Tech, automated underwriting, telematics etc. • 25 May 2018 grows closer… 4

A mixed bag, really for the insurance sector? • Accountability principle • Huge potential administrative fines • Civil claims (includes joint and several liability) • Enhanced Data Subject Rights including data portability • More detailed Data Privacy Notices • DPO requirements • Mandatory data security breach reporting • Stricter data security requirements • More difficult to rely on consent • Restrictions on use of data relating to health and criminal convictions and offences • Increased complexity and risk for data processing arrangements • Extra-territorial reach • DPIAs for High Risk processing 5

But, there is significant continuity • Personal data • Controllers and processors • Six Core Principles 1. fair processing (lawful, fair, transparent) 2. purpose limitation (no incompatible use) 3. data minimisation (adequate, relevant and limited to what is necessary) 4. data accuracy (correct and up to date) 5. data retention (kept in a form that permits identification for no longer than necessary for the purposes) 6. data security (including integrity and confidentiality) • (+ Accountability) • Legitimate processing grounds are very similar 6

Sweet? • 99 Articles • 173 Recitals • But seriously: • Lead authority mechanism • Consistency Mechanism – greater harmonisation • Reasons to take a broad holistic approach to compliance: • good data governance • reputation and trust • better trained staff • possible competitive advantage 7

Legitimate Processing Conditions: Non-Sensitive Personal Data • Consent - The individual has given consent to the processing for one or more specific purposes. Consent will be harder to obtain under GDPR and needs to be “freely given, specific, informed and unambiguous” and a clear affirmative action is required. Can be withdrawn & triggers right to erasure • Necessary for performance of a contract - The processing is necessary for the performance of a contract with the individual or in order to take steps at the request of the individual prior to entering into a contract. Triggers data portability right • Legitimate interests - The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Triggers right to object and additional requirements for privacy notice • Legal obligation - The processing is necessary for compliance with a (EU or Member State) legal obligation to which the controller is subject • Vital interests - The processing is necessary in order to protect the vital interests of the individual or of another natural person (i. e. medical emergencies) • Public functions - The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller 8

Main Legitimate Processing Conditions: Sensitive Personal Data • Explicit consent - The individual has given explicit consent. However, EU or Member State law may limit the circumstances in which consent is available. • Legal obligation related to employment - The processing is necessary for a legal obligation in relation to employment and/or social security law or for a collective agreement. • Archiving and Research - The processing is necessary for archiving, scientific or historical research purposes or statistical purposes and is based on EU or Member State law. • Legal claims - The processing is necessary for the establishment, exercise or defence of legal claims or for Courts acting in their judicial capacity. • Public information - The processing relates to personal data which is manifestly made public by the data subject. • Substantial public interest - The processing is necessary for reasons of substantial public interest, on the basis of EU or Member State law. • Vital interests / Healthcare and Public Health - The processing is necessary in order to protect the vital interests of the individual or of another natural person. (i. e. medical emergencies). The processing is necessary for healthcare purposes and is subject to suitable safeguards or the processing is necessary for public health purposes. 9

Art. 10 GDPR - Processing of personal data relating to criminal convictions and offences • Processing of personal data relating to criminal convictions and offences is restricted to official authority or when the processing is authorised by EU or EU Member State law providing for appropriate safeguards for the rights and freedoms of data subjects • Insurers need to be in a position to analyse and assess insurance risk for fraud prevention and other legitimate purposes. • General Scheme of Data Protection Bill 2017 (published May 2017) provides 9 specific exceptions at Head 19 including: – an exception where processing is ‘necessary for the assessment of risk or prevention of fraud’ – processing necessary ‘for the establishment, defence or enforcement of civil law claims’ • These exceptions do not appear to cover processing of such data to comply with anti-money laundering legislation or fitness and probity legislation or other legal obligations of insurance undertakings. There is also issues in relation to relying on consent mainly because consent can be withdrawn. 10

Feast of enhanced data subjects rights? • Right to erasure of data (aka “Right to be Forgotten”) • Right to data portability • Right to more details of the processing including length of retention time • Right to be notified of a data security breach event in certain circumstances • Right to restrict automated processing • Data subject access reduced to 1 month request deadline • Right to bring a civil claim for material and non-material damage 11

Art. 20 GDPR - Data Portability Right • The right to data portability only applies: –to personal data an individual has provided to a controller –where the processing is based on the individual’s consent or for the performance of a contract –when processing is carried out by automated means • Controllers must: –provide the personal data in a structured, commonly used and machine readable form –provide the personal data free of charge without undue delay, and within one month –if requested, transmit the data directly to another organisation if this is technically feasible. 12

Art. 22 GDPR - Restriction on Automated Processing • Data subjects have the right not to be subject to a decision when: –it is based on automated processing which may include profiling –it produces a legal effect or a similarly significant effect on a person • Controllers must ensure that data subject are able to: –obtain human intervention –express their point of view –obtain an explanation of the decision and challenge it • The right does not apply if the decision: –is necessary for entering into or performance of a contract –is authorised by EU or EU Member State law –based on explicit consent. (Article 9(2)) –does not have a legal or similarly significant effect on a person. 13

GDPR is driving a new way of thinking about personal data • Accountability principle means that organisations will need to be able to demonstrate compliance with GDPR • Data protection “by design and “by default” • Data protection impact assessments • Encryption and pseudonymisation are encouraged • Good privacy compliance could generate competitive advantage 14

Data Protection: a new Contract / renewal of an existing contract • Controllers and Processors must have a written contract • Processor’s main obligations : –maintain an appropriate technical and organisation security measures –maintain a detailed record of the processing, types of data etc. . –notify Controller without undue delay in the event of a security breach –delete/return data on termination –provide information and allow for and contribute to pre-contractual diligence and audits –cooperate in relation to DPIAs –cooperate with supervisory authorities and with Controllers’ Controllers inspections / audits –flow down terms to sub-processors (being mindful of liability for sub-contractors) • Other matters to consider: –limitations and exclusions of liability (joint for civil claims). Consider cross indemnities –privacy by “design" and "privacy by default” –data transfers 15

What does “appropriate” security really mean? • Controllers and processors are required to: – “implement appropriate technical and organisational security measures” taking into account – “the state of the art and the costs of implementation” and – “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. ” • Processing of personal data for the purposes of ensuring network and information security, including preventing unauthorised access and preventing damage appears to be permitted 16

Ok, but what does that mean? • GDPR provides specific suggestions for what kinds of security might be considered “appropriate to the risk, ” including where appropriate: – pseudonymisation and encryption – systems to: • ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services • restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. • for regularly testing, assessing and evaluating the effectiveness of security measures • Approved codes of conduct or an approved certification mechanism may be used to demonstrate compliance 17

Empowered Data Protection Authorities • Lead authority mechanism + concerned authorities + consistency mechanism = increased cooperation between DPAs • Can levy huge fines under the GDPR • Powers to stop transfers and unlawful data processing • Audits / investigations – potential for “dawn raids” • Power to “name and shame” • Will expect a road map to compliance – shoulder to the wheel ! • Irish DPA: – Firm but fair – Separation of consultations / investigations – 100 people and scheduled to double in size 18

Ok, I see, I’d better get on with it • Non-compliance is not an option – the stakes are too high • It can’t be contracted out of • Employees, customers, business partners, stakeholders will expect it • “There is a lot to do !” • Watch closely the: General Scheme of Data Protection Bill 2017 (published May 2017) 19

Questions & Answers williamfry. com