May 22, 2017

Acronyms of the day: GDPR and PLP

Big data has been a buzz word of the IT world for some years already. With increasing computing efficiency data is turning into a big business. We all generate data to various actors just by living, consuming, transporting. As more and more data is being collected, cyber security threats are real risks and taken seriously by serious operators. EU including.

A new regulation on Data Protection was published on 4th of May 2016 in the EU Official Journal. The regulation will be effective on May 2018. These reformations have extensive influences in various fields. Insurance industry is no exception as the regulation will have an impact on all organizations working with personal data from small non-profits all the way to big corporations and even public sector. There seems to be a great deal of worry on the effects of the legislation, especially with a threat of heavy sanctions for anyone found not complying.

The regulation also aims to facilitate companies working across countries within EU by harmonizing the way personal data needs to be protected. Unlike a directive that need to be implemented to national laws of each member state, a regulation is effective as such and it overrides any conflicting national law. In this case, the regulation leaves room for very little national maneuvering. The country specific exceptions mainly deal with public sector.

One of the key points in the regulation is the lawfulness of processing personal data:

“Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract.”

The subject should be aware and has given consent to processing her personal data or processing is necessary for performance of a contract or for compliance of a legal obligation. In case of PLP the lawfulness of personal data processing comes from an existing contract, the insurance policy, as well as requirement by law to keep the data and report information to authorities.

The regulation lists rights of registered persons. Following are applicable to PLP.

Article 15: Right of access by the data subject
Data subject should be aware what kind of personal information is stored and have access to the data.
PLP has its own client register but it usually works as a slave to a master client register. Insurance companies using PLP typically have their own self service portal and customers can view their own personal information online. Integration directly to PLP or through the master client register satisfies the requirement of the regulation.

Article 16: Right to rectification
A natural extension to being able to view your personal information is to be able to correct it if and when it is incorrect. Changes to the master client are updated to PLP’s Client Manager automatically via integration. However, if necessary, services for viewing and updating data for example from a self-service could be added to PLP.

Article 17: Right to be forgotten
In PLP data is kept as long (and only as long) as there is a legal obligation to do so. All old policies and related client data is removed as soon as possible. Some additions are being done to the removal process to make sure no personal data remains in the system longer than what the law requires.

Right to restriction of processing when information is incorrect or processing is unlawful
In PLP client data should be up to date or when it’s not, easily updated. Processing is also lawful because all client data is only kept as long as necessary.

Right to object and restrict profiling
As PLP does not have functionalities for customer profiling there is no need for a tool to restrict profiling. Typically, PLP has an integration to an external a data warehouse system. The information that client has resisted profiling should be added to the external system, since profiling would probably also be done there. If needed, information that client resists profiling could be added to PLP’s Client Manager. At the moment, as there is no clear need for this, the information will not be added to our product solution.

After spending some time getting to know the GDP regulation a little better, I am quite confident that the doom will probably not come on May 25th 2018. Digitalization will continue its march on transforming the ways we communicate, work and entertain ourselves and we at Profit will continue to be part of that. The privacy regulation is there to ensure the safety of peoples’ information. As always, the biggest challenge will be to change the way of thinking, the rest is just code. To paraphrase Spiderman’s famous quote: with big data comes big responsibility. We at Profit are happy to help our customers in handling that responsibility.

BY Anni Siitonen, Business Analyst at Profit Software