GDPR & Data Protection Bill –Impact on Insurance and Banking Company
Blog wpadmin January 15, 2021
The European Union’s (EU) General Data Protection Regulation (GDPR), which came into effect on the 25th of May 2018, regulates how organisations process the personal data of EU citizens.
It improves the privacy rights of individuals and, among other things, requires organisations to report data breaches within three days.
The regulation is supervised and enforced by the data protection authorities (DPAs) in each member state. The European Data Protection Board (EDPB), which is made up of representatives from each DPA and the European Data Protection Supervisor, ensures that GDPR is applied consistently throughout the EU.
The Personal Data Protection Bill 2019 (PDP Bill, 2019) was introduced in Indian Parliament on December 11th 2019 by the Minister of Electronics and Information Technology.
The Bill provides a framework for protecting citizens’ privacy, barring technology companies from storing and processing ‘sensitive’ personal data without explicit consent from individuals.
GDPR has made a significant impact in the Indian Companies waking up to the developments on Data Protection and has been the inspiration for the PDP Bill, 2019.
Key determinants of GDPR& PDP’s impact on a bank and insurance companies are the type of customers, the basis of interaction, the services offered and the information technology systems involved.
Effective data privacy safeguards have become an important source of competitive advantage in the modern era, as the consumers have increasingly begun to prefer dealing with organizations that give them a sense of control over their data. Also, individual consumers are today, more than ever, aware of their rights regarding their personal data. Data protection requirements, by their nature, impose compliance burdens on regulated entities registering with data protection authorities, creating privacy-by-design policies, conducting data protection impact assessments, appointing data protection officers, adhering to security safeguards and breach protocols, and implementing grievance redressal mechanisms.
Government and public authorities play a key role in the implementation of data protection laws. Thus when European regulators started taking notice that the customers are being negatively affected due to the lack of proper regulation, they created the General Data Protection Regulation (GDPR) and on the similar grounds, thePersonal Data Protection Bill (PDPB) 2019 was introduced in Indian Parliament on December 11th, 2019 by the Minister of Electronics and Information Technology.
a) The GDPR applies to:
All member states of the European union,
All organisations processing the data of European Union subjects – wherever the organisation is geographically based.
b) The PDPB applies to:
Processing personal data that has been collected, disclosed, shared or otherwise processed within the territory of India.
Indian companies, Indian citizens, and any other persons or bodies incorporated or created under Indian law..
The GDPR enumerates the specific grounds when necessary and proportionate measures may be undertaken to restrict the rights of individuals. However, the PDPB grants a blanket exemption to agencies of the central government.
Primary rights affecting compliance for lenders:
a) Informed Consent
Personal data shall only be processed after explicit consent given by the data principal at the commencement of its processing. Hence, lenders cannot assume implied consent for processing customer data.
b) Specific Purpose
Personal data shall be collected only to the extent that is necessary for the purposes of processing. This means that it cannot be collected for reasons that are not known or declared.
c) Data Erasure:
Personal data must be erased after the purpose for which it was shared has been met. The data principal has the right to ask for the erasing of their personal data.
d) Data Portability:
When the processing of the personal data has been carried out through automated means, the data principal has the right to receive a copy of their personal data in a structured, commonly used and machine-readable format.
Impact of GDPR on Various Segments:
Segments of business which are directly client related, such as wealth management and retail ranking, are more impacted by the GDPR regulation than other segments. GDPR applies to the processing of personal data of any EU resident orsimply processing and holding the personal data of data subjects residing in the EU. Thus, it may concern all sorts of personal data that can be found within a bank.
As a consequence, the bank faces three key issues in the wealth management segment:
Currently, in most banks, data is spread across different systems and kept in various storage places. To comply with the GDPR, banks need to understand where and how the data is currently captured and saved and need to answer the question on how to structure processes for the future in order to have an easily accessible holistic view of client data.
It is assumed that wealth managers currently gather all kind of client information, even sensitive data, often unstructured. Banks have to decide how to deal with the data capturing and processing going forward, while retaining a comprehensive overview of data. Banks may implement a clear policy framework and further guidelines in behavioral rules for client relationship managers to mitigate the risk of breaching GDPR.
Handling of personal data pertaining to the client environment, such as information about friends and a client’s family. Therefore, any GDPR implementation measure in the context of client personal data should be carefully elaborated to reduce any negative effects on a bank’s business.
b) Insurance Companies
In the case of insurers, the GDPR implementation process is similar to that of banks and other institutions that process personal data. Insurance companies must create their own GDPR implementation process, which allows them to protect their customers’ personal data as much as possible and process it in accordance with the guidelines of the regulation. However, GDPR at insurance companies often requires even more decisive steps to be taken. This is because agents often collect extremely sensitive data, defined by GDPR as “special category data”, such as lifestyle, state of health or addictions, which requires special protection, and their leakage or illegal transfer can have very serious consequences.
Another important issue regulated by GDPR at insurance companies is the insurance of minors. At present, processing of minors’ data requires parental consent. Another important issue is the cooperation of insurance companies with third parties, such as brokers. The process of implementing GDPR requires, in this case, the signing of an appropriate form of contract, which determines whether the broker is a data processor or also a data controller.
Impact of PDP on Various Segments:
i) KYC process
The preliminary step of any lending operation is the Know-Your-Customer (KYC) process. The clauses from the bill that can affect the KYC process are:
Storage Limitation: after the loan has been repaid, the data principal can request erasure of all the KYC data.
Data Portability: with eKYC and VideoKYC being adopted, automated processing is becoming common. The data fiduciary must keep a copy of the data in case it is requested by the data principal.
ii) SMS Reading
This method of credit assessment is considerably new, and it would require explicit consent for processing. It is yet to be determined whether consent would have to be taken from both parties associated in the SMS exchange.
iii) Email Login Based Pull
Sometimes applicants are required to provide login credentials to a data source such as a personal email account. Till now explicit permission was usually sought for this to follow through, but not always. With the bill in place, email login based scaping would need to be 100% consent-based.
b) Insurance Companies
i) Broader Definition of Sensitive Personal Data (SPD)
Unlike GDPR, the Bill has defined SPD to include health data, sexual orientation, gender, financial data, biometric data, caste or tribe. Various multinational companies and foreign companies would need to implement a strong compliance strategy to avoid a breach of SPD under the Bill.
ii) Excessive Liability
The Bill imposes liability on every officer of the company who, at the time of commission of the offence, was in charge of the conduct of the business of the company. However, no person shall be liable if he proves that the offence was committed without his knowledge.
The Data Fiduciary is obligated to provide the Data Principal with adequate notice before collecting and processing their data. The notice is required to be clear and concise, and if necessary and practicable, the notice shall be in multiple languages. In a country like India withmultiple languages, this may be an operational challenge and may increase the cost of compliance.
The GDPR does not stipulate criminal liability, but permits member states to impose criminal penalties for violations of the regulation and applicable national rules.Administrative fines up to the higher of 20 million euros or a 4% of a group of undertakings’ annual global revenue.
Under the PDP Bill, non-compliance is liable to a penalty. This penalty could go up to 15 crore rupees or 4% of a data fiduciary’s total worldwide turnover of the preceding financial year, whichever is higher. It is thus imperative for insurance companies and banks to start preparing for these compliance measures.
Data is a valuable currency in this new world, and while GDPR& PDP does create challenges and pain for businesses, it also creates opportunity.Companies who show they value an individual’s privacy (beyond mere legal compliance), who are transparent about how the data is used, who design and implement new and improved ways of managing customer data throughout its life cycle build deeper trust and retain more loyal customers.