knowledge | 26 March 2018 |

Insurance Industry Develops GDPR Data Breach Reporting Template

Insurers will need to notify personal data breaches once the General Data Protection Regulation (“GDPR”) becomes applicable from 25 May 2018.  Insurance Europe, the European insurance and reinsurance federation, has recently published a template to help insurers meet this obligation, which it expects to be of particular interest to SMEs and supervisory authorities.

According to Insurance Europe, SMEs could use the template instead of undertaking a descriptive exercise in the midst of a data breach, for which they may not have the resources. Supervisory authorities could benefit from a standardised format allowing them to share incident data across borders, to better detect trends and to gain insights about how to combat cyberthreats across Europe.

Data Breach Notifications

Under the GDPR, data controllers are obliged to report information relating to a personal data breach without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach.  This obligation applies to all personal data breaches, with the exception of those unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it must be accompanied by reasons for the delay.

Information required about the breach includes the nature of the breach, categories and approximate number of data subjects and personal data records concerned along with the likely consequences of the breach and the measures taken to address and mitigate it.

New Template

The template is divided into three separate sections:

  • Section 1: Personal details and information on the affected company
  • Section 2: Details relating to the data breach incident as per Article 33 of the GDPR
  • Section 3: This section is to be completed following the 72 hour period when more information is available about the breach.  This will include complementary data sets to gain more knowledge of the nature of the breach

The data sets in both section 2 and section 3 are drafted in the form of multiple choice answers or numerical fields.  According to Insurance Europe, this helps to keep the information anonymous and facilities the comparison of information by relevant authorities across various sectors and companies.

The template can be accessed here.

This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.

Key contacts