1. CDO Europe: How to Implement the GDPR in a Multinational Company Dr. Philipp Räther Group Chief Privacy Officer Allianz SE
2. 2 Allianz at a glance With over 142,000 employees worldwide, Allianz Group serves 85 million customers in more than 70 countries In fiscal year 2015, the Allianz Group achieved total revenues of approximately 125.2 billion euros Rankings insurance business based on revenues; asset management based on assets under management; sources: company reports Leading property- casualty insurer Among the top 5 life/health insurers Worldwide leader in travel insurance, assistance and personal services Leading strategic partner to the automotive industry Among the top 5 asset managers globally Global leader in credit insurance Among the top 5 in the industrial insurance business Included in the Dow Jones Sustainability Index since 2000 with top ranking positions 2© Copyright Allianz SE 2016
3. 3 © Copyright Allianz SE 2016 § New European General Data Protection Regulation (GDPR) has been agreed, and it: § regulates processing and transfer of personal data § applies to all organisations interacting with EU clients, customers and employees § brings a stricter and more demanding privacy regime § has extraterritorial impact for Allianz OEs § Outside the EU, regulation of personal data is maturing. Generally, most new privacy laws are based on the EU model of data protection regulation. § The GDPR imposes a greater regulatory burden, larger fines and increased enforcement powers. § Increased reputational damage and impact on stakeholder confidence. Risks of Non- Compliance Regulatory Change New EU laws will increase the privacy rights of individuals and obligations to protect personal data
4. 4 New EU Privacy Requirements Impacting Allianz Allianz is investing time and resources both from a privacy and operational perspective, to effect changes brought by the GDPR and to allow for processing and global transfers of employee and customer data Compliance with the GDPR imposes significant operational and administrative implications GDPR Requirements International Data Transfers – BCRs Right to Object and Profiling Accountability and Privacy by Design Right to be Forgotten and to Erasure Right to Data Portability Consent Data Breach Notification Sanctions Subject Access Requests (SARS) Territorial Scope Harmonization across the EU Data Protection Officers Authorities Operational Impact Administrative Impact Data Register © Copyright Allianz SE 2016
5. 5 GDPR – Operational Impacts (1/2) 5 GDPR Requirements Impact on AZ / OEs International Data Transfers – BCRs § The EU will restrict data flows outside the EEA. These will be subject to contractual arrangements, customer / employee notification and waivers, as well as regulatory approvals. § OEs will need to implement a mechanism according to which personal data can be shared within the group, in particular Binding Corporate Rules (“BCRs”). Right to Object and Profiling § Data subjects have the right to object to processing unless the controller demonstrates compelling legitimate grounds for processing. § Data subjects have the right not to be subject to a decision based solely on automated processing unless the data subject has given explicit consent, or where the processing is authorized by contract or in law. § Until now, OEs have heavily relied on the legitimate interest exception; with the data subject‘s right to object this will become more difficult. Right to be Forgotten and to Erasure § Data subjects have the right to have their personal data erased in certain circumstances such as: where the data is no longer necessary for the purposes collected; or the data subject withdraws consent. § The sector is not keen on data deletion. OEs will have to develop and implement a data deletion strategy (regarding operational data and archives). This will be very costly. Accountability and Privacy by Design § Controllers are required to conduct a data protection impact assessment prior to certain processing of personal data. § When designing new products and services, privacy friendly solutions will have to be implemented by design and by default. E.g. for telematic products this could mean that certain data will only be processed in a pseudonymized or anonymized way. Data Register § Controllers and processors must demonstrate an understanding of data processing activities and related data handling risks. § Controllers and Processors must maintain a register, which identifies and documents key data processing activities and transfers of data.
6. 6 GDPR – Operational Impacts (2/2) 6 GDPR Requirements Impact on AZ / OEs Right to Data Portability § Customers will have the right to request copy of data undergoing processing in electronic format and that the data is transmitted directly to another controller. § This will be technically difficult to implement and costly to run. § By way of example, a client wants to leave Allianz and buy insurance from AXA. Allianz has now to make available all his static and transactional client data in an electronic format so he can easily download it and transfer it to AXA. Consent § Consent means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes. § Where consent is relied upon for the processing of special categories of personal data, explicit consent is required. § OEs have to use explicit consent from the insured for the processing of their health data. Further restrictions apply to the collection and use of criminal data. Data Breach Notification § In certain circumstances, the supervisory authority and data subject must be notified of a personal data breach without undue delay and, in the case of the supervisory authority, within 72 hours. § It will be necessary to have adequate reporting procedures in place to comply with the notification requirements, including criteria and threshold for communication to data subjects. § It will be necessary to keep records, and document any personal data breaches. Subject Access Request (SARs) § Data subjects have the right to request the personal data that controllers store about them. Such information will have to be supplied within a given timeframe free of charge. § OEs will need to devote additional time and resources to ensuring that they can comply with these requirements. Sanctions § Infringements regarding the basic principles for processing, data subject rights etc. may be subject to administrative fines of up to €20 million, or 4% of worldwide annual turnover — whichever is higher. § Compliance with data protection laws is now a key management risk.
7. 7 GDPR – Administrative Impacts 7 GDPR Requirements Impact on AZ / OEs Harmonisation across the EU § The level of data protection, and the rights and freedoms of individuals should be equivalent in all Member States. § OEs established within the EU will need to identify impacted processes, systems, and third party relationships, and should have equivalent safeguards with regard to the processing of personal data. Territorial Scope § The GDPR applies to personal data processed in the EU, and outside the EU of individuals residing in the EU in certain circumstances. § OEs established outside the EU should consider whether they are subject to the GDPR. Data Protection Officers § Controllers and processors shall designate a Data Protection Officer (“DPO”) where their core activities consist of the regular and systematic monitoring of data subjects on a large scale or the processing on a large scale of special categories of personal data. § DPOs will have to be appointed. A single DPO may be appointed by a group of undertakings provided that the DPO is easily accessible to each establishment. § Workload for existing DPOs will increase significantly. DPOs will be assigned with new tasks, such as consumer advocacy role. Authorities § Data controllers are regulated by a lead authority located in the territory of their main establishment, although local authorities may deal with local cases (known as the “One Stop Shop”). § OEs may deal with a single regulator for most cases. However cases of cross border and multi- jurisdictional interests may involve more regulators and take longer to resolve.
8. 8 How the Program addresses the EU Privacy Requirements © Copyright Allianz SE 2016 BCRs provide the legal basis for the transfer of data between EU and non-EU OEs DataOrigin EU GDPR GDPR + BCR Non-EU GDPR Based on AZ’ decision, BCR may be applied to all data hosted / processed / accessed by fully participating non-EU OEs GDPR Coverage 1 4 2 Data hosted / processed / accessed by OEs EU Non-EU 3 The Allianz Privacy Renewal Program provides the legal framework to facilitate group-wide data transfers and supports OEs subject to the new GDPR requirements GDPR applies to: •All EU OEs (including all data of EU and non-EU OEs processed in the EU) •All EU data hosted / processed / accessed by non-EU OEs, subject to BCR
9. 9 Allianz Privacy Renewal Program (APRP) § Three year program with shared cross-functional responsibilities: § Co-led by Operations and Compliance § OE responsibility for local implementation 3 Years 3 Waves 3 Phases © Copyright Allianz SE 2016 § Address the requirements of the EU GDPR and adopt Binding Corporate Rules (BCR) to allow for global transfer of data § Support Allianz’ Renewal Agenda and digital transformation objectives § APRP involves 70 Operating Entities, across 1000+ legal entities and 70 jurisdictions. OEs have been prioritised across three waves of implementation, including a Wave 1 pilot. § Divided into three phases, comprising a blend of GDPR and BCR activities: § Phase 1: Scoping, § Phase 2: Readiness, § Phase 3: Remediation Purpose
10. 10 Scoping and planning stages of the GDPR / BCR program are critical phases to ensure success ü Stakeholder Engagement ü Determining Scope of the Project ü Budget Planning and External Support ü Project Governance ü Joint Operational and Compliance program representation ü Project Management and Program Planning Allianz Privacy Renewal Program (APRP) © Copyright Allianz SE 2016
11. 11 © Copyright Allianz SE 2016