Data protection for insurance companies: How to protect your policyholders’ data
Similar to health care, data protection is a mammoth task for insurance companies. As a rule, highly sensitive personal data is collected each time a contract is formed, providing detailed information on the identity of the data subject. At the same time, insurance companies have to process a large amount of information in order to weigh potential risks. It is therefore all the more important for you as an insurer to meticulously comply with the GDPR guidelines in order to protect yourself from fines. In this guide, we show you what you need to look out for in order to protect yourself and your customers correctly.
Digitization has not fostered confidence in insurance companies
Many health insurance companies try to win customers over by offering them special benefits. This begins, for example, with the so-called bonus booklet. This is an unproblematic model, because policyholders use preventive measures to improve their health; the relevant data is reported to the insurance company in one way or another, regardless of data protection.
On the other hand, the provision of fitness and tracking apps or pedometers, for example, is a cause for concern. The insurance company also collects this data and then makes special offers to its customers. However, this inevitably leads to other policyholders being disadvantaged because a) they do not make use of these options or b) they do not exercise sufficiently. As a rule, data subjects give their consent voluntarily because they use the app. However, many are not aware of the extent to which their personal data is processed. As an insurer, you are therefore obliged to inform your customers, or in this case users, sufficiently about their rights and obligations.
As you can see, digitization is a field that the new General Data Protection Regulation absolutely required. This is because both insurance companies and other providers of such apps promote uncertainty among data subjects in such cases. Many people ask themselves whether they can still use such a tool without having to fear the consequences of potential disadvantages. The current directives of the EU GDPR protect the rights of data subjects. At the same time, customers are again placing more trust in your insurance company because they know that you take their well-being seriously.
Code of Conduct
This is the internal data protection code of German insurance companies. It corresponds to both the Federal Data Protection Act (BDSG) and the current General Data Protection Regulation. In the German Insurance Association (GDV), institutions have voluntarily joined forces against data protection violations. The participating insurance companies are committed to complying with the following guidelines:
- Data is only collected and processed for the respective purpose.
- The collection takes place only in the context of a risk examination or if a claim for damages, etc., exists.
- The processing occurs for a specified purpose. If data is collected beyond this, the consent of the data subject must be obtained.
- The goal is data minimization and transparency.
- and much more
Basically, data protection for insurance companies was already given high priority years ago. However, participation was voluntary. This means that not every insurance company has joined the network. However, the current EU GDPR now obliges all insurance companies without exception to comply with its provisions and, if necessary, to be accountable to the supervisory authorities.
Establish a compliance strategy
In order to correctly implement the General Data Protection Regulation as an institution or insurance broker, you should develop a sophisticated strategy. First of all, get an overview of which guidelines apply to you and which security measures you need to take. Our GDPR checklist can help you.
Appoint a data protection officer
Directly after the risk analysis, this should be your first step to comply with the General Data Protection Regulation as an insurance company. If you have more than nine employees who collect and process personal data, you must have a designated internal or external data protection officer who is available on request (see Art. 37). The data protection officer is responsible for helping you to implement the GDPR and is always the point of contact for both data subjects and supervisory authorities. At the same time, the data protection officer provides your insurance company with support to avoid data protection violations.
Directory of processing activities
According to Art. 30 GDPR, you are obliged to create a directory of processing activities. Whether this is done in written or electronic form is up to you. However, it is important that you list in detail which personal data you collect for what purpose and to what extent. It is also relevant whether you employ another company for the processing.
The new EU GDPR makes data protection more important not only for insurance companies, but also for customers. People are becoming increasingly aware of this issue. It is therefore important that you inform your policyholders not only about the processing of your data, but also about the right to deletion, blocking and being forgotten! Every data subject now has the opportunity to have their data “disappear.” However, you can only partially comply with this wish, as you must at the same time comply with the legally prescribed retention periods.
Technical and organizational measures
Digitization poses a major challenge for insurance companies in terms of data protection. Surely you also have your own site on which you show what you have to offer. At the same time, many insurance companies offer contact forms and a login option. It is therefore extremely important that you implement appropriate security measures. This includes, for example, SSL encryption, so that entered personal data is made anonymous.
It is just as important to sensitize your employees to the topic of data protection in your insurance company. This is because working with sensitive information is a very delicate matter. Your employees need to know how they have to behave during processing and which requirements you have to comply with.
Also consider encrypting the data if you are sending insurance-relevant content by email. We always recommend an individual password for each customer. Only in this way can you ensure that the information is protected, even if it falls into the wrong hands.
Data protection is enormously important for insurance companies
Your task is to collect personal data on a large scale. No matter whether you are an insurance broker or a health insurance company, you inevitably always have all the information about your customers in order to be able to make them the best possible offer. That’s why you are also responsible for complying with and guaranteeing data protection at insurance companies and for being liable in the event of deficiencies.