5 Key Facts

  • Personal Data means any information relating to an identified or identifiable individual; the definition of Personal Data was extended to include identifiers such as: (1) genetic; (2) mental; (3) cultural; (4) economic; and (5) social identity.
  • Fines of up to 4% of annual worldwide turnover or €20 million – whichever is greater.
  • Consent must be active and affirmative by the data subject. Data Controllers need to keep a record of how and when the individual gave consent. The individual can withdraw their consent at any time.
  • The individual has the right to withdraw consent and ask for Personal Data to be deleted.
  • In the event of a data breach, Data Controllers must notify the data protection authority within 72 hours, without undue notice. Data Controllers and Data Processors will need to develop an agreed upon incident response plan.

GDPR Does Not Only Affect Companies in the EU

This is the main difference between the GDPR and the older EU Data Protection Directive of 1995. Any company that collects, processes, transmits or stores Personal Data of an EU Data Subject is bound by the GDPR, even if that company is located outside of the EU.

This applies to any company that:

  1. Collects Personal Data from employees in the EU.
  2. Collects or processes Personal Data from people in the EU.
  3. Collects or processes Personal Data from people in the EU on behalf of another business.
  4. Collects or processes Personal Data from EU Data Subjects for legitimate business purpose as part of a contractual obligation.

What is the Right to be Forgotten?

Under GDPR an EU Data Subject can request to have Personal Data removed that is being collected or processed by a separate entity. GDPR requires that when an individual invokes the right to be forgotten that an organization must delete the data from their systems without undue delay.

RMS has processes and procedures in place so that any client data received is only held and processed for as long as is necessary to fulfill any contractual obligations. Once the processing has finished, all received data is promptly removed from RMS systems in accordance with the contract terms.

Since RMS acts as a Data Processor of Personal Data and not a Data Controller with respect to the handling of client data, a request by an EU subject to invoke the right to be forgotten would be initiated with the client directly, and not RMS. At that point, RMS has procedures that will be invoked on behalf of the client so that the Data Subject’s information is removed from our systems.

Is RMS a Data Processor or a Data Controller Under GDPR?

RMS is classified as a Data Processor under the GDPR because we process data on behalf of our clients as a service. This enables us to provide risk quantification for the various models we produce. Our clients are Data Controllers because they have the direct relationship and collect the Personal Data directly from an EU Data Subject.

Even then, RMS only receives a very small subset of Personal Data from our clients, and it is almost entirely related to a physical address or geographic location. However, under the GDPR, this data qualifies as Personal Data because it can be used to indirectly identify a person.

As a Data Processor, we do still have an obligation to protect the client data we receive, which is why we have implemented data protections when receiving client data to build privacy by design into our data handling processes.

GDPR is Important to RMS

Location data such as property exposure data may be considered Personal Data by our clients, but it is important to understand that some of these aspects are important in the work we do.

There are direct implications and obligations for Data Processors of Personal Data. Data aggregation and anonymization are tools used to minimize the risk of processing and sharing such data.

However, aggregating location data up to postal code as way of risk management can undermine the value of RMS models and is disruptive to information and risk distribution chain within the insurance industry. We are committed to working towards a shared operating model with identified requirements so ALL stakeholders are comfortable sharing valuable data insight.

Does RMS Have a Designated Data Protection Officer (DPO)?

Fulfilling the DPO requirement for GDPR does not require a statutory DPO function to be assigned to a single individual. However, RMS has appointed a DPO, who in conjunction with a data privacy governance board, will help address all privacy and data protection issues for the purpose of GDPR compliance.

For customer information, please refer to Owl.