INSTANDA compliance with GDPR

What is GDPR?

The General Data Protect Regulation (GDPR) aims to strengthen and unify data protection for all individuals residing within the European Union.

This regulation also concerns the export of data outside the EU, which means that any country – anywhere in the world – will need to comply if they process European data.

Businesses are required to initially comply with the GDPR, but also need to demonstrate continued compliance and be able to report on their data processing.

The GDPR comes into effect on May 25th 2018. Non-compliance could result in fines of up to 4% of a company’s annual worldwide turnover or 20 million euros, whichever is higher.

The Information Commissioners Office (ICO) has stated that company Directors will be personally liable for failure to comply.

GDPR Principles

The GDPR principles set out the main responsibilities for organisations and requires that personal data shall be:

  • Processed lawfully, fairly and in a transparent manner in relation to individuals
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • Accurate and, where necessary, kept up to date
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
  • Processed in a manner that ensures appropriate security of the personal data

INSTANDA compliance with GDPR

  • Ability (for design screens user) to delete identifying data, or data held by consent for a given policy
  • Customer portal users should be shown a list of their quotes when retrieving quotes instead of receiving an email
  • Access rights for configurators to customer data
  • Audit log when that quote was retrieved and viewed, and by whom
  • When using the public ‘Retrieve Quote’ function, email a single-use, unguessable link to the person to retrieve their quote (rather than going directly to their quote)
  • Audit log deletion/masking of customer data
  • Specify period for which identifying data from an unconverted quote is retained. Separately, specify period for which identifying data from an expired or cancelled policy is retained.
  • Flag variable definitions according to whether they contain identifying data. Flag variables according to whether they contain data held only by the consent of the data subject.
  • Access rights for configurators to delete customer data
  • Users cannot view live customer data on the back-end without permission
  • Mask sensitive claims data
  • Audit log access to customer data
  • Design Site Audit Log View

Feel free to get in touch or email us if you have any questions regarding GDPR.