GDPR and Insurance Brokers: What You Need to Know

What does this mean for your firm, and what is the process for compliance?
GDPR
Brokerage

You couldn't miss the information: since May 25, 2018, the General Regulation on the Protection of Personal Data (RGPD) imposes a rigorous treatment of the personal data you possess, as much on your prospects and clients as on your employees, partners, subcontractors, etc.

Consumption habits have changed: consumers are looking for quality and respect for their privacy. By highlighting your ethics, you are developing sustainable opportunities for your practice.

That said, what does this mean to you?

As an insurance broker, your activity involves the collection of multiple data (name, address, email, telephone, date of birth, marital status, company, activity, contracts subscribed to, etc.) on your prospects and clients, but also your employees, suppliers or partners. You are therefore responsible for this data.

As a professional, you must therefore take a certain number of measures to protect, inform, monitor your activities and ensure that this data is not shared or used without the consent of the persons concerned.

You must also ensure that your sub-contractors comply with the DPGR. And of course, make sure the software and platforms you use are compatible with the DPMR, or better yet, help you comply.

What is to be done?

The French National Commission for Information Technology and Civil Liberties, the CNIL, has listed the 5 steps to comply in a very simple way. Here they are with a few additions:

1- Establish a data processing registry

In a register, list all the data you process, and keep it in a document structured by department or activity.

Organise your register by creating a sheet for each of these activities, specifying the purpose, the categories, the persons having access to the data, and finally the length of time the data will be kept.

Also keep in this register a list of your subcontractors and the type of data they have access to.

Finally, keep a history of the data processing requests you receive.

2- Sort the data

When creating your registry, ask yourself about the need for each piece of data, its sensitivity and retention period, but also about the stakeholders: what data is relevant to whom and who can access it.

This exercise allows you to simplify your processing processes, eliminate negligible data, target so-called sensitive data, set up automatic deletion or archiving rules.

3- Informing stakeholders

The DPGR requires companies to be transparent and to inform all stakeholders about the collection of data concerning them. Therefore, be sure to include a statement in your data collection process, indicating the fact of the collection; the reason for it; the actual duration of the collection, etc.

4- Allowing the exercise of rights

Each party affected by the data held and processed by your firm has rights. You have an obligation to allow, and above all to facilitate access and the exercise of these rights; namely the right of access, rectification, opposition and deletion.

5- Securing the data

Finally, the DMPR imposes a legal obligation to secure the data held and used.

Make sure that your CRM and all the software you use meets this data protection, and don't hesitate to define new security measures.

Thus, make sure that your data is not freely accessible and does not circulate without authorization. Only the persons actually concerned should have access to it. Avoid, for example, lists and spreadsheets that do not allow access to be protected or that give too much access to all columns and rows.

An opportunity to seize

Although it may seem heavy and constraining, the RGPD is for you an opportunity and a chance to start a digitalization process.

Indeed, by encouraging you (strongly!) to structure your data and documents, the DPMR allows you to optimize their collection and processing, to obtain a more complete overview of your business - which can help you better value and develop your firm -, to complete your administrative procedures more quickly, to avoid any confusion of responsibility in case of conflict, and to eliminate unnecessary data that only makes your business more cumbersome.

Finally, the security measures allow your firm to strengthen your client relationship through greater transparency.

Timetonic helps you establish a data processing register

These other articles may be of interest to you