Do you need to hire a data protection officer under the GDPR?

Source: Insurance Business UK

There has been much talk about the impending General Data Protection Regulation (GDPR), and how it will change the data protection landscape for insurance businesses when it comes into effect next May.

But one arguably less discussed aspect of the new law is that many insurance firms will be required to hire someone whose role is specifically to oversee data protection and compliance.

“One of the key things in the GDPR is the requirement to appoint a data protection officer, Jade Kowalski, senior associate at law firm DAC Beachcroft, said at an MGAA market briefing in London this month.

Under the regulation, companies will need to appoint a data protection officer if their core activities consist of processing operations which require “regulated, systematic monitoring” of individuals or the processing of special categories of data on a large scale – which will include many insurance businesses, Kowalski explained.

But the difficult part is working out whether that applies to your business. Though there has been “some guidance” at the European level, there is no simple answer as to which areas of insurance may mean a company is more likely to need an officer.

“Carrying out that analysis is actually quite tricky, especially in the insurance space. There are examples of some insurance businesses which are so obviously consumer facing that it’s almost a foregone conclusion,” commented Kowalsi. “There are others, particularly where your focus is more on commercial lines, where it’s not so clear cut,” she said.

While consumer-centred businesses are more likely to fall under the category of monitoring individuals on a large-scale, some areas of commercial stand out too.

“We do see real pockets and real hotspots of data in lines like public liability for example… and so whilst you might not initially think that you need to worry about it, actually if you have a very big public liability line you might want to consider that,” the associate warned.

The first step for businesses is to conduct a detailed analysis of the extent of its data processing and the subjects it collects data on, but Kowalski said that insurance firms should not act hastily.

“Don’t immediately appoint a data protection officer,” she said. “But do document that analysis, because if you decide not to [appoint an officer] and you’re later questioned, you’ve got something you can go back to and show.

“I think the regulator would be far more sympathetic if you had carried out the analysis and got to the wrong conclusion, than if you hadn’t carried out the analysis at all,” she advised.

Leave a Reply

Your email address will not be published. Required fields are marked *
You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>