GDPR compliance at insurance companies, banks and financial institutions
GDPR is the most important data protection regulation in the last 20 years. It applies to all companies in the European Union that collect personal data - financial institutions included.
However, there are no clear guidelines as to how the implementation of GDPR should proceed, or how companies should protect their personal data. Each institution must therefore independently analyze what data it has, what risks are involved and how data security can be ensured. The implementation of GDPR not only imposes additional obligations on companies, but also gives numerous privileges to customers. Every citizen has the right to request to be given all personal data any company has about them, or to transfer the data to another company, for example, transfer data between banks. GDPR's implementation plan also assumes that a customer may request that their data be deleted from the company database if not currently in use.
Can companies circumvent these regulations in any way? The implementation of GDPR does not leave much room for maneuver. Companies that do not comply with EU requirements can be subject to large fines, up to 4 percent of their annual revenues or 20 million euros, whichever is higher. The exact amount of the fine depends on the type of data that has been insufficiently secured and the extent of the damage involved. The GDPR implementation process also assumes that when data is even unknowingly made available or a hacking attack occurs, an institution is obliged to inform customers about it. It has 72 hours to do so. How exactly has the implementation of GDPR affected the work of banks and insurance companies?
GDPR at banks and financial institutions
The regulation has had a strong impact on financial institutions as they process a large amount of personal data. Every process of GDPR implementation in financial institutions should start with an analysis of their resources. Every financial institution now needs to know if it has archived unsuitable or forgotten data. To ensure that customer personal data is always under control and that the process of GDPR implementation in banks is efficient, a Personal Data Controller should be appointed.
Institutions now also need to keep track of who has access to their customers' data, plus when and how the data is processed and protected. The GDPR implementation plan should therefore include the use of state-of-the-art technology to ensure the best possible data protection. One of the obligations of the institutions under the GDPR at banks and financial institutions is to implement a register of personal data processing activities. According to the new regulation, the bank is also obliged to provide information on data processing and must have a documented consent for data processing.
At any time, the customer may withdraw their consent for the use of their data and this must be put on the record by banks. The customer should also have easy way to do so. An important change brought about by the process of implementing GDPR at financial institutions, including mainly banks, is the clarification of the approvals that can currently be granted to specific actions and individuals. This means that at the moment, the customer can only agree to a specific form of communication, such as e-mail. In such a situation, the bank cannot make phone calls to the customer with marketing offers.
GDPR in banks also influences the process of conveying offers to customers. If a customer does not agree to receive marketing offers, this can make it more difficult to send personalized offers. Therefore, financial institutions should have a GDPR implementation plan with appropriate mechanisms to deal with such cases.
Implementation of GDPR at insurance companies
In the case of insurers, the GDPR implementation process is similar to that of banks and other institutions that process personal data. Insurance companies must create their own GDPR implementation process, which allows them to protect their customers' personal data as much as possible and process it in accordance with the guidelines of the regulation. However, GDPR at insurance companies often requires even more decisive steps to be taken. Because agents often collect extremely sensitive data, defined by GDPR as "special category data", such as lifestyle, state of health or addictions, they require special protection, and their leakage or illegal transfer can have very serious consequences.
Other imporant issues
Another important issue regulated by GDPR at insurance companies is the insurance of minors. At present, processing of minors' data requires parental consent. Another important issue is the cooperation of insurance companies with third parties, such as brokers. The process of implementing GDPR requires, in this case, the signing of an appropriate form of contract, which determines whether the broker is a data processor or also a data controller.