An overview of the IDD & GDPR impact on distribution

The Chain of Distribution - Insurance Directive Distribution & GDPR

Subject to the Insurance Distribution Directive (IDD), which came into effect October 1st 2018, an Insurance Provider or Insurer can no longer work with brokers if the chain defined by the IDD is broken or does not exist. The responsibility is shared and the provider/insurance company must check whether contracted brokers comply with the law (Due diligence regarding IDD/GDPR/Anti Bribery & corruption/conflict of interest/product governance/sanctions compliance/fraud or money laundering). 

This is the challenge of the insurance industry; the sector is highly fragmented. As we have known banks where the industry is much more consolidated there has been a high concentration of Fintech providing technology, licensing, cloud, API, convergence. The same needs to happen in insurance but the implementation is more challenging due to complex lines and fragmentation of the distribution channels. 

What are the most important 10 key points to observe for all intermediaries that are within the meaning of the law? 

1. Intermediaries must provide a greater transparency in the price and benefits of 
insurance products 
2. Intermediaries must understand and know what the duty of advice and information is 
3. Intermediaries must prove how they collected data & needs of the insured (client 
information, group census details /life protection income etc..) and they need to encrypt this highly sensitive data (without a suitable environment with plug & play convergence and cloud, it is not possible) 
4. Intermediaries must advise in a written process (data collection/situation/needs 
analysis/recommendation and proposal) and send Insurance Product Information (IPID), Terms and Conditions, Benefits including a reasoned written response without giving rise to any conflict of interest with regard to commissions) 
5. Intermediaries need to explain/insert in their writing process compulsory and legal 
mention (Privacy & cookies policy / Term & conditions / Data retention policy) access to the information/Where is the data/How the data are secured/How you can offer data portability/How to complaint to ombudsman, regulator, the technology (Hosting) and data must be separated and differentiated in this system with API to transfer the flow of information 1 
1 Summary of Benefits 
6. Intermediaries must mention their fees/or percentage of commissions 
7. Intermediaries need to secure data in a HIPAA cloud/or a high security server to be 
compliant with the GDPR & IDD 
8. Intermediaries need to offer data portability 
9. Intermediaries must train their staff with a minimum of 15 hours per year (outsourced 
training) 
10. Intermediaries must be aware of the distribution directive and sanctions, regulation, 
remote solicitation and specific rules 

This is the 1st phase; this year in 2020, France requires brokers to be a part of an association to be checked regularly. 

Think Insurtech’s SaaS modules digitally matches 100% all these points with convergence, APIs and cloud to manage sensitive data. This is what we will show you and our platform can connect to any system in plug & play; our system also pushes a mobile application on Google Play and IOS. 

At Think Insurtech, for Providers we are interested in developing the market as MGA & advisors for assisting with compliance. For Brokers - assisting in compliance and gaining access to a wider scope of providers and insurers. Without a system and tools such as our SaaS platform; for brokers lacking expertise, it’s very likely they will no longer exist in a very short time frame. Brokers face a double edge sword, both insurers and regulators enforcing compliance. 
Finally, we can help to move on digitalization and you provide an end-to-end plug & play solution for sales distribution.

Appendix
 

deloitte-dda

*Source Deloitte Insurance distribution directive 
 

data-flow

*Data flow – How to manage data to be GDPR/IDD compliant 

General Data Protection - Summary of key points

The GDPR key principles 

The GDPR has six key principles that govern data protection. The use of personal data must meet these criteria: 
● Processed lawfully, fairly, and in a transparent manner 
● Collected for specified, explicit and legitimate purposes 
● Adequate and limited to what is necessary in relation to the purposes for which it is processed 
● Accurate and kept up to date 
● Kept no longer than is necessary for the purposes for which the personal data was collected and processed 
● Have in place the appropriate security measures, both technical and organizational, to protect the personal data from unauthorized or unlawful processing, accidental loss or release, destruction or damage. 

Data subject rights 


When you provide data that identifies you such as personal email, date of birth, credit card details, then you are a data subject. You always own your personal data and have important rights as to how it is used. 
● The right to be informed 
● The right of access 
● The right to rectification 
● The right to restrict processing 
● The right to object 
● Rights in relation to automated decision making and profiling 
● The right to erasure (also known as the right to be forgotten) 
● The right to portability 
The processing of personal data must be lawful, so consider the following: 
● When consent is used as a basis for processing, it should be clearly given for a specific purpose. 
● If there is no legal or contractual reason to keep personal data, it must be deleted if the data subject requests it. 
● You need to always consider whether the legitimate interests of the data subject are being properly respected. 

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data: 
(a) Consent: the individual has given clear consent for you to process their personal data 
for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or 
because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not 
including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest 
or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.) 


Be aware that extra care and protection is required for sensitive personal data such as race, ethnic origin, politics, religion, trade union membership, health, sex life, sexual orientation, biometric and genetic information. 


For data controllers and data processors 


● Someone’s information may be shared for security reasons, provision of services and selling products or services, if done lawfully. An online service holding sensitive data such as passport details and medical information is highly intrusive on an individual’s privacy. 
● Remember that data processors are now also directly liable for non-compliance and for data breaches. 
● There can be multiple data controllers during a transaction. 
● You must report a personal data breach if there is a risk of harm to the data subject’s rights or privacy. 
● Significant fines and sanctions for noncompliance are imposed for failing to comply and reputational damage can cause significant losses for organizations. 
What you should consider 
● Do I know how my role impacts the protection of an individual’s personal data? 
● Which, of the processes I carry out, relate to the compliance of data protection regulation? 
● How do I contribute to the prevention of data breaches? 
● What are my firm’s policies, processes and controls which help protect all personal data? 

If you are unsure of any of the above questions, please talk to your line manager and seek clarification. 
If you think more can be done to protect personal data within your organization, then let someone know. 
Remember all staff who process/control personal data are expected to ensure compliance with the regulation, so make sure you know your responsibilities, internal policies, practices and processes that relate to data protection.