On November 12, 2014, the CNIL issued a new compliance pack for the insurance sector drafted in collaboration with the sector trade associations.
Compliance packs are a new tool that the CNIL has been promoting for the past few months as an operational response to the needs of professionals concerning the application of the French data protection law.
The CNIL has previously published compliance packs about electric “smart meters” (June 2014) and about social housing (October 2014). Two new compliance packs are already announced to be published soon: one about banking activities and one about social services.
These packs are prepared based on a close cooperation between the CNIL and sector stakeholders. They allow implementation of specifically drafted legal instruments to simplify the compliance formalities (simplified norms, unique authorization, waivers, etc.) and provide good practices adapted to the professional sector concerned. As a co-regulatory framework prepared in collaboration with a given industry sector, the CNIL wishes to use them as dynamic tools to manage complex issues such as those raised by big data. The CNIL also expects these packs to help improve anticipation of the changes that will come with the future European regulation on the protection of data.
The new insurance compliance pack has a triple objective:
- help insurance companies manage big data projects within their sector and better master the data collection risks inherent to big data management at our time of digital revolution;
- enable the development of new products and innovative services to the person that will be respectful of privacy; and
- simplify the administrative formalities to carry out with the CNIL to answer more pragmatically the needs of professionals for the benefit of a more dynamic relationship with the CNIL.
Two simplified norms and three unique authorizations are part of this compliance pack:
- Simplified norm n°016 for the procurement, management and execution of insurance contracts;
- Simplified norm n°056 for the management of customers and prospects for the insurance sector;
- Unique authorization n°031 for the collection of the social security number and the consultation of the national directory of identification of the individuals;
- Unique authorization n°032 for the collection of data about offences, convictions or security;
- Unique authorization n°039 for the implementation of measures combating fraud.
These documents contain road maps defining what insurance companies may and may not do. For example, unique authorization n°039 allows insurance companies to deploy algorithms to detect fraud across a number of databases, and to share fraud-related data within the group. Normally this sort of processing would be impossible without a CNIL authorization. Where insurance companies stay within the limits defined by the relevant simplified norm or unique authorization, the companies need only make a simplified filing with the CNIL. They do not have to seek an individual authorization.
A compliance club has also been created to ensure in particular that pack could be updated over time so as to accompany market and technological developments. The aim is to enable professionals of the sector to continue exchanging on a periodic basis to verify the correct implementation of the rules and organizational processes in the light of trade developments and to find the solutions with regards to any changes.