What is GDPR?
The GDPR became effective on the 25th May 2018 (replacing the current EU Data Protection Directive) and is the most significant piece of European data protection legislation to be introduced in 20 years. The legislation has a global impact and applies to organizations outside of the EU that may be handling the Personal Data (as defined below) of EU residents (defined as Data Subjects). GDPR has also reshaped the way corporations around the world approach data privacy and has also strengthened the rights of people who may have their Personal Data processed or handled by other companies.
Both Data Controllers (E.g. primary and reinsurers in charge of data) and Data Processors (like RMS® who process data on behalf of our clients) have joint responsibility to abide by GDPR. Data Controllers must only use Data Processors who meet GDPR requirements
5 Key Facts
- Personal Data means any information relating to an identified or identifiable individual; the definition of Personal Data was extended to include identifiers such as: (1) genetic; (2) mental; (3) cultural; (4) economic; and (5) social identity.
- Fines of up to the greater of €10 million or 2% gross annual revenue for some violations, and up to the greater of 4% of gross annual revenue or €20 million for other violations can be imposed by the supervisory authority.
- Consent must be active and affirmative by the data subject. Data Controllers need to keep a record of how and when the individual gave consent. The individual can withdraw their consent at any time.
- The individual has the right to withdraw consent and ask for Personal Data to be deleted from their systems within 30 days.
- In the event of a data breach, Data Controllers must notify the supervisory authority within 72 hours of becoming aware of it. Data Processors will need to have an incident response plan that supports the Data Controller’s notification requirements.
GDPR Does Not Only Affect Companies in the EU
This is the main difference between the GDPR and the older EU Data Protection Directive of 1995. Any company that collects, processes, transmits or stores Personal Data of an EU Data Subject is bound by the GDPR, even if that company is located outside of the EU.
This applies to any company that:
- Collects or processes Personal Data from employees in the EU.
- Collects or processes Personal Data from people (non-employees) in the EU.
- Collects or processes Personal Data from people in the EU on behalf of another business.
What is the Right to be Forgotten?
Under GDPR an EU Data Subject can request to have Personal Data removed that is being collected or processed by a separate entity. GDPR requires that when an individual invokes the right to be forgotten that an organization must delete the data from their systems within 30 days.
RMS has processes and procedures in place so that any client data received is only held and processed for as long as is necessary to fulfill any contractual obligations. Once the processing has finished, all received data is promptly removed from RMS systems in accordance with the contract terms.
Since RMS acts as a Data Processor of Personal Data and not a Data Controller with respect to the handling of client data, a request by an EU subject to invoke the right to be forgotten would be initiated with the client directly, and not RMS. At that point, RMS has procedures that will be invoked on behalf of the client so that the Data Subject’s information is removed from our systems.
Is RMS a Data Processor or a Data Controller Under GDPR?
RMS is classified as a Data Processor under the GDPR when we process data on behalf of our clients as a service. Our clients are Data Controllers because they have the direct relationship and collect the Personal Data directly from an EU Data Subject.
Even then, RMS only receives a very small subset of Personal Data from our clients, and it is almost entirely related to a physical address or geographic location.
As a Data Processor, we do still have an obligation to protect the client data we receive, which is why we have implemented data protections when receiving client data to build privacy by design into our systems and data handling processes.
GDPR is Important to RMS
Location data such as property exposure data may be considered Personal Data by our clients, but it is important to understand that some of these aspects are important in the work we do.
There are direct implications and obligations for Data Processors of Personal Data. Data aggregation and anonymization are tools used to minimize the risk of processing and sharing such data.
We are committed to working towards a shared operating model with identified requirements so ALL stakeholders are comfortable sharing valuable data insight.
Does RMS Have a Designated Data Protection Officer (DPO)?
Fulfilling the DPO requirement for GDPR does not require a statutory DPO function to be assigned to a single individual. However, RMS has appointed a DPO, who in conjunction with a data privacy governance board, will help address all privacy and data protection issues for the purpose of GDPR compliance.
For customer information, please refer to Owl.