Getting compliance right
The interconnectivity that the world currently finds itself in is far reaching. This sharing economy means that data in one part of the world can be analysed, refined and used as a test subject in another part of the world.
In the case of the insurance industry, data is used to gain better insights into clients and client behaviour and is also used to improve product and service development.
However, this also comes with some challenges. Privacy has always been something that humans have always valued and guarded as sacristan. The introduction of the Protection of Private Information Act (POPIA) will be a major step in following the rest of the world in establishing long awaited privacy laws. At the recently held 3rdAnnual POPI Conference, which was hosted by the Intelligence Transfer Centre, the issue of data privacy came under the spotlight in many forms.
Steps ahead
The issue of data privacy has been key since the formation of the European Union (EU). However, the interconnectivity of the Union means that data privacy can be challenging at times.
To counter this, given the growing influence of technology and access to data, the EU established the General Data Protection Regulation (GDPR) which is a law based on a set of privacy principles that safeguards an individual’s right to privacy.
Like POPIA, it took the EU a long time to establish the GDPR. In addition, as the case will be when POPIA is finally introduced, the GDPR has a far-reaching ambit.
“We need to remember that we cannot turn a blind eye to the GDPR. Even if we are based in South Africa and we do business with any business partner that is based in the EU, we are obliged to follow the principles contained within the GDPR,” said Dr Peter Tobin, Founding Director of Tobin Consultancy.
This has major implications for the financial services industry. Insurers are increasingly taking on cross border risks and are writing policies in other countries. Further, there are a lot of business partnerships between South African insurers and international counterparts. Lastly, most of the risks underwritten by South African insurers is reinsured by international reinsurers. The interconnectivity of our industry cannot be underestimated.
High expectations
Not only does the EU expect South African companies to comply with the GDPR, but it also expects POPIA to offer its citizens the same level of privacy.
“The days of South African companies only doing business locally is long gone. International business partnerships have been a reality for a long time now. South Africa is struggling with economic growth, and one way to overcome this is to align POPIA with the GDPR so that South Africa gets Trusted Trading Partner status with the EU. This has happened in New Zealand who is now one of the EU’s largest trading partners because EU citizens feel a measure of security when visiting the nation,” said Dr Tobin.
A major announcement regarding POPIA is expected to be released in March. The Information Regulator – Pansy Tlakula – is expected to be a key note speaker at the International Conference for Information Commissioners which is due to be held at Vodaworld. “My hope is that Tlakula stands up, gives the audience a sneak preview of POPIA, announces that POPIA will be upgraded to be on the same level as the GDPR and that South Africa is looking to get Trusted Business Partner Status,” said Tobin.
Get it right
It is important that insurers and intermediaries get POPIA compliance right from the onset. Rene Richards, Compliance and Privacy Specialist at Privacy Vault, points out that there are some key questions that need to be asked when approaching the issue of compliance.
“Insurers need to ask: who is collecting data, what are they doing with it, who else sees this information, what could they potentially do with it, and is there any risk to the organisation?” said Richards.
According to the rights entrenched in POPIA in 2013, everyone has right to protection against unlawful collection, retention, dissemination and use of personal information. “Therefore, it is necessary to remove unnecessary impediments to the free flow of information and to regulate processing to ensure that the right to privacy is in line with international standards,” said Richards.
Capturing is key
A key function of an intermediary is the initial meeting with the client where a needs analysis is done. Data capturing is key for the industry, but is also the foundation of POPIA compliance.
“The responsible party – in this case the intermediarty – must take reasonable steps to ensure that the data subject (the client) knows that the source of data collection (whether it is voluntary or mandatory), the contact details of the intermediary, the purpose of the collection of the information, the consequences of failure to provide information (non-disclosure), the transfer of data to a third country and the level of protection that the client will receive,” said Richards.
In addition, there needs to be clarity around the right of access to the data that is being provided and the right to rectify that data. Further, if there is any indication that the assurances of the intermediary or Chief Information Officer of the insurer has been contravened, the client has a right to lodge a complaint with the information regulator whose details needs to be supplied to the client.
Editor’s Thoughts: Google recently got fined $56.5 million by the French Regulatory Authority for a failure to comply with the GDPR. In addition, Facebook has recently been found guilty of contravening GDPR principles by the UK information regulator; a significant fine is imminent in this case. Can South African insurers afford to face similar punitive measures? Please comment below, interact with us on Twitter at @fanews_online or email me your thoughts jonathan@fanews.co.za.
Article published courtesy of FANews
https://www.fanews.co.za/article/compliance-regulatory/2/general/1082/getting-compliance-right/26358
