Owen Williams, manager of XL Catlin’s Captive Centre of Excellence, and Geraldine Henbest, group data protection officer at XL Catlin, discuss the implications for captives and what risk managers should be aware of when the rules come into effect.
Q. What steps can companies take to make sure they are ready for the GDPR?
Geraldine Henbest: Insurers, for example, will need to update policy certificates and claims forms to include GDPR-compliant language. Third-party agreements and contracts also will need to be addressed to reflect the new requirements introduced by the GDPR when engaging third parties. It is also important that companies assess and test their incident response plans to make sure they are fit for purpose in the case of any breach.
Q. Does the GDPR affect captives, and what should risk managers be doing to make sure they are compliant?
Owen Williams: By their nature, most captives handle individuals’ data. Parent companies will have GDPR processes and plans in place and these should extend to their captives. But this does not mean that risk managers with captives can feel complacent about the upcoming rules. Risk managers should ensure they know the correct lines of communication in case they are concerned about a potential breach. And they need to make sure that their parent company’s data protection officer, or whoever is charged with data protection and GDPR compliance, is aware of the captive and what types of data it handles.
Captive managers are also likely to have robust data protection and GDPR compliance processes in place. But again, making sure that communication channels are clear and robust will be very important so that captives do not fall through the gap. While captives may not appear to be directly affected by the new rules, risk managers will want to ensure they know how to handle data, who to contact in their organisation, and what protocols to follow in the event of any breach concerns.
Q. What about captives that are domiciled outside of the EU?
Owen Williams: Of course, many companies that are based in the EU have captive insurers and global programmes that are outside of the EU. But this does not mean they are exempt from the GDPR. Captives that are domiciled outside of the EU also fall under the scope of the GDPR if they process the data of individuals from within the EU. And in the UK, despite the country’s upcoming withdrawal from the EU, the GDPR will replace the Data Protection Act 1998 in May 2018. A new act is planned for the UK that will sit alongside the GDPR; however, it is currently a bill.
Full article on Commercial Risk (subscription required)
© Commercial Risk Europe
Key
Hover over the blue highlighted
text to view the acronym meaning
Hover
over these icons for more information
Comments:
No Comments for this Article