"Insurance 5.0 - What comes after digitalization?" - under this provocative title the Versicherungs.Dialog 2022 took place on September 22. As a partner of BearingPoint, Consor was allowed to be present again this year with a booth and a short presentation on stage.
The new General Data Protection Regulation (GDPR) of the European Union has been in force since 25 May 2018. In Switzerland, a revision of the Swiss Data Protection Act, largely based on the GDPR, is being consulted. At least parts of the revision are expected to come into force next year.
Consor Universal is primarily used in the area of specialty and industrial insurance. Particularly in the case of professional liability insurance, personal data covered by the GDPR is stored and processed by Consor Universal. Since Consor Universal stores all data in a structured manner, GDPR compliance can be achieved quickly and reliably. Several of our customers have implemented and rolled out the necessary adjustments in less than half a year.
The following shows how selected parts of the GDPR can be covered by Consor Universal. The examples are from customer projects.
In first step, it is necessary to identify the personal data stored in Consor Universal. Examples of personal data are names, e-mail addresses and dates of birth. To ensure a reliable implementation, those attributes need to be kept in the internal data mart of Consor Universal. In many cases, most of the attributes will already be part of the data mart, but you might need to add a couple.
Do be GDPR compliant, a number of small new features will most likely be needed. The new features are typically only available to specially authorized employees, e.g. data protection officers. Also, access to so-called restricted data will need to be limited to employees with the necessary authorization. The authorization concept will this need to be adjusted accordingly, and the changes modelled in Consor Universal.
Once the groundwork of identifying personal data and modelling new authorizations has been covered, you’re ready to implementing the specific requirements of the GDPR. Let’s have a brief look at a couple of them.
Right to information (articles 13 and 14): These articles primarily require contractual documents to be adjusted, as the customer must told which data is kept and how it is used. In Consor Universal, all you need to do is to supplement the products (e.g. professional liability for doctors) with the new clauses. These are then automatically included in all future business transactions (e.g. a contract adjustment).
Right of access (article 15): Data subjects, i.e. people whose data is stored, have the right to inspect their data and request corrections. As all personal data is already kept in Consor Universal’s data mart, it is quick and easy to generate a customer-friendly PDF document containing all the data that can be sent to the person requesting access. Access to this feature can be e.g. via a new menu item. Of course, only authorized users should see it.
The generated PDF document contains all data of the inquiring person and could look like this:
Right to be forgotten (article 17): The deletion of personal data is usually implemented in two phases: In a first step, the data is deleted logically. Such data are blocked from general access. Only specially authorized users (see introduction) still have access to them. In a second step, the data is physically deleted. Physically deleted data is erased completely from the system and not accessibly by anyone.
Consor Universal supports, as a standard product feature, both logical and physical deletions across the entire system.
Deletions can be triggered by two processes:
- Automatically by the system when defined time limits have been reached.
- On receipt of a corresponding request of the data subject.
Consor Universal offers comprehensive support for the necessary mechanisms. Batch jobs can take over automatic deletions. Authorized employees can have the data deleted prematurely in the application if a request for deletion is received. Also, surrounding systems can be instructed to delete the data. Conversely, a surrounding system can issue a deletion instruction to Consor Universal, or veto a deletion instruction it has received.
Consor’s experts are also familiar with various other aspects of the GDPR, such as the right to restriction of processing (article 18) or the anonymization of test data. We will be happy to answer any questions you may have in the context of Consor Universal.