The implications of GDPR for captives

The EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and will harmonise data protection rules across the European Union. As well as introducing new requirements around data breach notification, the GDPR also imposes potentially large fines on companies found to be in breach of certain requirements of the Regulation. Owen Williams, manager of XL Catlin’s Captive Centre of Excellence, and Geraldine Henbest, group data protection officer at XL Catlin, discuss the implications for captives and what risk managers should be aware of when the rules come into effect.

Q. What are the main elements of the GDPR that risk managers should be aware of?
Geraldine Henbest:
The GDPR generally applies to any organisation established in the EU (acting as a data controller or data processor) regardless of whether the data is processed in the EU, as well as any organisation not established in the EU where the organisation is offering goods and/or services to EU citizens or monitoring their behaviour as far as it takes place within the Union.

The GDPR also introduces the concept of a data breach. When there is a breach, companies must inform the competent supervisory authorities as soon as possible, but not later than 72 hours after having become aware of it, unless the breach is likely to result in a risk to the individual. In response to certain infringements, supervisory authorities have the power to impose penalties of up to €20m or 4% of total worldwide annual turnover, whichever is greater.

The GDPR provides individuals with new rights. For example, in certain circumstances individuals are entitled to request that their data be erased. In addition, the GDPR introduces the need for organisations that meet certain criteria to formally appoint a data protection officer.

Q. What steps can companies take to make sure they are ready for the GDPR?
Geraldine Henbest:
The need for companies to take good care of personal data is nothing new. Organisations will already have processes in place to make sure data is handled appropriately. But there are various things that can be done to make sure that companies are up to speed with the new requirements.

Under the GDPR, organisations must map their data flow – so having an in-house inventory of what data is collected, with whom it is shared etcetera, is a good way to keep a handle on this. Where possible, organisations should consider the pseudonymisation of personal data as a risk management step. Companies should also make sure that information notices on documentation to individuals or published on websites are clear, understandable and accessible.
Insurers, for example, will need to update policy certificates and claims forms to include GDPR-compliant language. Third-party agreements and contracts also will need to be addressed to reflect the new requirements introduced by the GDPR when engaging third parties. It is also important that companies assess and test their incident response plans to make sure they are fit for purpose in the case of any breach.

Q. Does the GDPR affect captives, and what should risk managers be doing to make sure they are compliant?
Owen Williams:
By their nature, most captives handle individuals’ data. Parent companies will have GDPR processes and plans in place and these should extend to their captives. But this does not mean that risk managers with captives can feel complacent about the upcoming rules. Risk managers should ensure they know the correct lines of communication in case they are concerned about a potential breach. And they need to make sure that their parent company’s data protection officer, or whoever is charged with data protection and GDPR compliance, is aware of the captive and what types of data it handles.

Captive managers are also likely to have robust data protection and GDPR compliance processes in place. But again, making sure that communication channels are clear and robust will be very important so that captives do not fall through the gap. While captives may not appear to be directly affected by the new rules, risk managers will want to ensure they know how to handle data, who to contact in their organisation, and what protocols to follow in the event of any breach concerns.

Q. What about captives that are domiciled outside of the EU?
Owen Williams:
Of course, many companies that are based in the EU have captive insurers and global programmes that are outside of the EU. But this does not mean they are exempt from the GDPR. Captives that are domiciled outside of the EU also fall under the scope of the GDPR if they process the data of individuals from within the EU. And in the UK, despite the country’s upcoming withdrawal from the EU, the GDPR will replace the Data Protection Act 1998 in May 2018. A new act is planned for the UK that will sit alongside the GDPR; however, it is currently a bill.

Contributed by Owen Williams, manager of XL Catlin’s Captive Centre of Excellence, and Geraldine Henbest, group data protection officer at XL Catlin