Political agreement on EU data protection reform reached

Background

In 2012, the European Commission put forward a proposal for a General Data Protection Regulation (“GDPR”), to update and modernise the legislative framework regulating how personal data is handled and managed across the EU. On 15 December 2015, after lengthy and difficult negotiations, the European Parliament and the Council of Ministers reached political agreement on the final draft of the GDPR.

The GDPR will replace the 1995 Data Protection Directive (95/46/EC), implemented in the UK through the Data Protection Act 1998, and will introduce significant changes to EU data protection rules.

Key changes

• Application - The new law will apply to all industries, including insurers and insurance intermediaries. The GDPR sets out the rights of individuals and establishes obligations on businesses processing ordinary and sensitive personal data, as well as methods for ensuring compliance.
• Territorial scope - The GDPR will apply to the processing of personal data by controllers or processors established within the EU and will also capture those established outside the EU. In the latter case, the processing activities must relate to offering goods and services to individuals in the EU or to monitoring such individuals’ behaviour. Non-EU institutions will need to consider whether their activities are caught by the GDPR and whether they must appoint a European representative to take responsibility for their actions.
• Cross-border data transfers - Transfers of personal data outside the EU will be allowed where the European Commission has issued an adequacy decision regarding the level of data protection provided in the jurisdiction where the data is transferred. Adequacy decisions issued under the previous legislative framework will remain in force. In addition, transfers of personal data will be allowed based on legitimate interest if the transfer is not repetitive and concerns only a limited number of individuals.
• Consent - Consent must be freely given, specific, informed and constitute an unambiguous indication of the data subject’s wish to agree to the processing of his or her personal data either by a statement or by clear affirmative action.
• Data breach notification requirements - Businesses will be required to notify the competent authority of a serious data breach as soon as they become aware of it, without undue delay and, where feasible, no later than 72 hours after they become aware, unless the breach is unlikely to result in risk to individuals’ rights and freedoms. Where the breach is likely to present high risks to individuals’ rights and freedoms, controllers must also notify individual(s) affected by the breach without undue delay.
• Sanctions - The consequences of non-compliance will be severe. The GDPR introduces a tiered approach to sanctions for those in breach of the rules, which will allow data protection authorities to impose fines of up to 4% of an enterprise’s annual global turnover or €20m, whichever is higher.
• Stricter governance -  Data controllers will have to undertake impact assessments for higher risk processing. These will include an evaluation of the risk posed to the data subject as well as the measures envisaged to tackle the risk. Data controllers and data processors will need to appoint a Data Protection Officer to perform relevant assessments of an organisation's data processing where large scale collection of consumer or sensitive data arises.

Impact on the Lloyd’s market

Insurers and intermediaries collect and use personal and sensitive data from policyholders and prospective insureds. The new regulatory regime will apply to Lloyd’s managing agents and intermediaries, in their capacity of controllers and processors of data used in their business. Market participants should re-examine their processes and procedures in order to ensure compliance with the rules.

Next steps

The European Parliament is expected to adopt the final text of the GDPR in the coming months. Once adopted and published in the Official Journal of the EU, there will then be a two-year period before it is applied. The new rules are likely to be enforced in early 2018.

As the GDPR takes the form of a regulation, it will apply directly in EU Member States, which do not need to transpose it into their national laws. It will also require adoption of secondary legislation at EU and/or Member State level.