The European Union’s General Data Protection Regulation (GDPR) creates binding stipulations for corporations who process personally identifiable information, or PII, of EU citizens. US carriers conducting business either in the EU or with EU citizens domestically are considered “data controllers” according to the GDPR and must understand its provisions and how to comply with them.
The GDPR (in effect since May 25th 2018) allows individuals to exercise control over their data and stipulates rules for anonymizing and purging data upon request by providing strict controls around the processing and movement of EU residents’ personal data. The law defines explicit legal uses for personal data; requires individualized, explicit consent for other uses; and mandates that companies allow individuals to see, correct, or expunge their data. Carriers should note that the GDPR’s definition of PII is broader than that of the US and covers almost anything attributable to a person.
Because the GDPR requires an opt-in system, insurance carriers must request, receive, and capture customer consent in a way that is secure and referenceable by all processes that are relevant to customer data rights. Carriers must also capture the duration of this consent, since under the GDPR it can expire. Insurers working in the EU or with EU citizens should also be careful to anonymize personal data.
All carriers—whether they do business in the EU or not—should understand that the GDPR may serve as a model for future laws. The GDPR can be an indicator of what US regulators may soon require of insurers’ data governance and cybersecurity overall. Fortunately, there are many prominent providers that could be useful in solving data governance and security challenges. These include, but are not limited to, Big ID, Citrix, IRI, Metric Stream, OneTrust, Oracle, Protegrity, Qualys, and Veritas.
This blog entry has been reposted with permission
