The General Data Protection Regulation (GDPR) is going to put individuals in charge of their data and give them power to decide when companies can use their data. In this blog we look at this in more detail here (link to - How can companies prepare efficiently for GDPR). Some sectors will have challenges to ensure compliance: the financial, medical and insurance industries are three industries that will face challenges due to the amount of data they hold, its sensitivity, and the focus that will likely be on them from auditors.
- Most companies share data with third parties so should be aware of managing the risk of sharing data with third parties.
- Many companies keep a lot of data on their customers, so it’s important to keep what is permitted under the new legislation.
- Make sure that a process is in place to collect the necessary consent when dealing with customers.
- Analysing credit worthiness may be more difficult as data is more elusive. Of course some of this will be proffered as clients want to use a financial service – this is another reason that rules around consent must be navigated carefully.
- Insurers are using increasingly sophisticated tools to evaluate claims. If less information is available this may mean collecting the data they need to accurately assess claims (and reduce the cost for everyone) may be harder.
- Telematics data could be a phenomenal tool to help price insurance policies but with the need for consent it may be a lot harder to use this data effectively.
- Getting data for underwriting purposes may be problematic. Credit histories and all important health data may be hard to obtain and mean pricing work is subsequently less targeted.
- Marketing specific deals to users may be more difficult with tighter data legislation. Companies who sell across border may also be particularly hit hard.
The GDPR explicitly cites health data will be subject to higher standards meaning that any organisation using this data should be extra vigilant. There are three types of health data: data concerning health (physical or mental), biometric data (anything that recognises a person such as facial recognition), and genetic data (acquired characteristics) for which processing is prohibited unless specific conditions apply, namely:
- The data subject has given ‘explicit consent’.
- If the processing is necessary for the purposes of preventative or occupational medicine. This could be related to assessing working capacity treatment for diagnosis.
- Processing is necessary due to matters of public interest.
‘Necessary’ is likely to be a difficult threshold to attain so organisations should focus on obtaining consent where possible.
Organisations which are specifically cited or will be under the microscope due to the amount of data they process should be especially wary of the new legislation and have in place a plan leading up to the implementation date. It is almost certain organisations in these fields will be some of the first targeted by auditors.