For travel insurance producers, vendors, brokers, and in fact any professional gathering or storing personal information about a client, the rules for maintaining strict privacy are intensifying, as are the penalties attached to them.
And we’re not talking about slaps on the wrist.
On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR, termed by the experts as the strictest data-protection law in the world) came into effect to harmonize data protection laws of all EU member states. The law is intended to ensure that all personal data from individuals in the EU are protected; that gatherers of that data deal in a fully transparent fashion; and that customers have new and greater privacy rights and control over how their information is used by those who collect it and pass it on to others.
How serious is the EU about its GDPR? Maximum penalty for non-compliance is four per cent of an organization’s global turnover up to €20 million.
With Canadians making almost six million leisure trips to Europe each year—most of them covered by travel insurance that depends on assistance service partners working in the EU—and with more Europeans travelling to Canada under insurance sold from Canada, the exposure is obvious.
According to Deloitte Canada’s website, you’re in the EU’s crosshairs if:
- you have offices or employees in the EU;
- you offer goods or services to individuals in the EU through your website or mobile app;
- you process the personal data of individuals who are in the EU on behalf of your business clients.
And that’s not all
In addition to the imposition of the GDPR in the EU, updated Canadian privacy rules under the Privacy Information Protection and Electronic Documents Act (PIPEDA), which will go into effect in November 2018, will now include financial penalties to make sure organizations comply with the federal regulations.
As Jill McCutcheon, partner and co-head of the Financial Services Practice for Torys LLP, told travel insurers at their annual conference in May, “The introduction of penalties is a new thing, but let me tell you, federal regulators love penalties now.”
She warned that any entities anywhere along the travel insurance distribution chain that are responsible for a privacy breach that could result in real risk of personal harm are required to report it to the privacy commissioner’s office, to the persons or organizations directly affected by the breach, and to anyone along that chain that might be able to mitigate the harm.
She advised travel insurers, vendors, and all related entities to update their breach response protocols, to designate breach response teams, and update employee training.
PIPEDA is not exactly the same as the EU’s GDPR, but it’s close enough that the mantra is clear—privacy is king. Betray it at your peril. And if you’re dealing with any part of the EU—at arms-length or otherwise—consider yourself double warned.
For more tips and information, visit the Ingle blog.