GDPR: data protection in action
GDPR: data protection in action
On 25 May 2018 the General Data Protection Regulation (GDPR) comes into effect, replacing EU Directive 95/46/EC. Being a Regulation rather than a Directive means that GDPR is directly effective. This benefits organisations that operate in multiple member states, like Van Ameyde and many of our customers. After all, compared to Directives, which are transposed into national law, Regulations offer far fewer possibilities for local deviations.
Despite this benefit, implementing GDPR has proven a time-consuming process for us at Van Ameyde. We started our comprehensive implementation programme over two years ago, following an extensive audit throughout the organisation.
Not purporting to provide an exhaustive list, I would like to give you an insight in a number of aspects of the new Regulation from a Processor’s point of view.
Security and data governance
Following the audit, we initiated a host of upgrades in our data security and data management as early as 2016. For security reasons we cannot list the measures taken in detail. In general terms, however, our security and data governance measures include:
- encryption of personal data
- benchmark security measures related to infrastructure and access, including two-tier authentication and strict password policies
- data breach monitoring and reporting
- data classification policies, further limiting access to highly sensitive information, such as medical data (only to be accessed by staff with additional security clearance) and data related to fraud investigations.
In the process of introducing measures, our in-house IT development company (Zero)70 has been awarded ISO 27001:2013 certification, in addition to our existing annual ISAE3402 type II accreditation. Our customers may rest assured that our data management and data security protocols and practices are fully GDPR compliant. We strictly adhere to GDPR principles such as lawfulness, fairness, transparency and purpose limitation. In addition, we minimise the collection and processing of data to what is strictly relevant to handling claims and have implemented measures to meet data subjects’ rights.
Suffice to say that, as part of the GDPR compliance process, Van Ameyde has conducted a Data Protection Impact Assessment (DPIA) to identify high risks to privacy rights. Measures to address such risks have been formulated.
Controllers and processors
Controllers are parties that ‘own’ their customers’ data. When outsourcing activities involves the processing of such personal data, controllers face two challenges:
- Meeting the GDPR deadline for their own data management systems and practices
- Ensuring that their supplier networks, i.e. the ‘Processors’, are compliant as well – by means of Data Processing Agreements
Under the new Regulation, Processors also become accountable, with responsibilities such as:
- the appointment of a Data Protection Officer (DPO)
- keeping records of the data processed on behalf of their customers
In fact, as Van Ameyde operates throughout Europe, we have appointed and trained dedicated DPOs in all the countries where Van Ameyde has offices.
Data Processing Agreement: compulsory
Under GDPR, Controllers are obliged to conclude Data Processing Agreements (DPA) with their Processors. We are addressing this issue by notifying customers and providing them with a DPA template. If you have not received a DPA, do by all means contact us for one!
Data Subjects’ rights
Under GDPR, Data Subjects are the individuals whose personal data are processed. In terms of claims management, data subjects may be policyholders, third parties and for instance witnesses. At first notification, claimants are explicitly informed of their rights. These rights include the rights to:
- erasure (the ‘Right to be Forgotten’)
- restriction of processing
- data portability (the right of individuals to have their personal data transferred to other organisations)
It should be noted, though, that any changes are only processed after thorough checks as to legitimacy and relevance. In addition, within the context of claims handling the Right to be Forgotten is limited. Suffice to say that liable parties cannot have their details removed or changed to avoid recovery…