The GDPR adds additional complexity to the already heavily regulated Financial Services and Insurance sector. Many of the GDPR’s requirements are complementary to existing legislation but special attention must be made to personal data protection.
Finance and insurance companies often process large amounts of personal data, often of a sensitive nature. Particular attention must be paid to ensure it is only used for the intended purpose, that it is only shared in a controlled way and that it is retained and disposed of appropriately and in a timely fashion.
The use of data for profiling and automated decision making is also strictly legislated under the GDPR.
This page explains what data protection legislation means for finance & insurance organisations and the key areas they need to consider when managing personal data.
WHAT DOES THE LEGISLATION MEAN FOR FINANCE & INSURANCE ORGANISATIONS?
Like all other organisations, finance & insurance organisations must:
- Access the data stored on them
- Ensure the data is correct and modify it as necessary
- Have it deleted (unless needed for legitimate reasons)
- Are a public body
- Process data on a large scale
- Use the data for profiling or automated decision making
IMPORTANT DATA PROTECTION CONSIDERATIONS FOR FINANCE & INSURANCE ORGANISATIONS
Finance and insurance organisations must protect personal data in a wide range of their operations. Some major considerations include:
Complementary Regulations
- Autoriteit Financiële Markten (AFM)
- Banking regulations
- Anti-money laundering regulations
- Understanding audit and inspection requirements
Handling sensitive and special category data
- Banking regulations
- Anti-money laundering
Managing sensitive and special category
- Data Protection Impact Assessments
- Personal data, financial data, medical data, records of criminal convictions especially for Insurance
Multiple and legacy systems
- Duplicated data held on multiple systems and data minimisation
- Data retention and disposal
- Mechanisms for handling Data Subject Access Requests (DSARs)
Administration
- Email systems
- Staff payroll, pension and HR records
- Visitors’ book, access and CCTV
Data Security
- Maintaining network and server security
- Data encryption
- Cyber security
Policies and agreements
- Privacy, retention, cookie and data protection policies
- Staff handbooks
Sharing data with others
- Transfers with 3rd parties
- Data transfers outside the EU
- Data processing and data sharing agreements
Handling large quantities of data
- Appointing a designated DPO
- Profiling and automated decision making
Enquire Today
Fill in your details below and we’ll get back to you as soon as possible