Privacy has always been important to people. It’s why people close their blinds, tint the windows in their car, or shred their mail before disposing of it. However, as technology evolves and continues to reshape the tools used to process, transfer, and store information, the ways in which we need to think about privacy are becoming more complex.

Privacy and the US Legal Industry

Claimants are placing a massive amount of faith in their carrier and legal representation to protect their privacy throughout the course of their matter. Insurance carriers, plaintiff, and defense firms often hire other companies to process personal information to gather records, write reports, and provide expert opinions.

The insurance and legal sector collects a large amount of data, and a large amount of that data is considered personal information by all reasonable measures. This is true in the underwriting, claims, and claims litigation process across both personal and commercial lines. Attorneys, in particular, may be unaware of just how much personal information they are collecting either directly or via a vendor, supplier, or expert. They also may be unaware of how that data may be currently used in or against their own interest.

Consider the Purpose

With the vast amount of data collected by the US legal industry, it’s not just the type of data, but the purpose it is being collected for and how long it should be kept. Are the companies hired to collect and process the data using the data only for its intended purpose? Do they have the correct technology and business architecture in place to provide access to it, keep it safe and respond if a breach were to occur?

Consider the Length of Time

There are a lot of instances where information has been collected early on but may no longer be needed. How long should 3rd party personal information be kept that is no longer needed?

In the EU insurers big and small are having to reconsider the information that they are capturing and retaining, due in large part to the recent adoption of the General Data Protection Regulation (GDPR) standards.

In the United States, the attention paid to the rights of those individuals related to privacy is growing quickly. While privacy is yet as regulated consumer behavior and liability issues are quickly redefining the privacy landscape. The best bet for any organization dealing with the collection and processing of personal information is to build a good understanding of the privacy landscape as it currently exists, and evaluate its own processes against the current best practices while anticipating changes and challenges to come.

What is the GDPR?

The General Data Protection Regulations, although not yet applicable in the United States, has dominated the privacy headlines over the course of the last year. The GDPR is significant because it is creating a broader definition of personal data. All data that can be used to identify someone is classed as personal data under the new GDPR – this includes everything from genetic and economic information to IP addresses.

The changes also place more emphasis on consent, putting customers more in control with what and how their data is used by organizations. As the emphasis on individual rights regarding usage of personal information increases, businesses will need to adapt how they obtain and use such data.

Why should Privacy Be Important to Your Firm or Company?

1. Neglecting privacy can impact your brand.
2. Allowing vendors or partners to misuse data may be a significant liability.
3. A breach is inevitable. The question is: Are you and your partner ready to respond?

The RSA Survey and Data Security and Privacy highlight some of the core reasons your firm or company should be concerned. 

• 46% of American respondents are concerned with the location of their information.
• 59% of all respondents listed Medical Data as a primary concern.
• 62% of all respondents said they would blame the company that last had their data, even before blaming hackers.

The survey concluded that as consumers become better informed, they expect more transparency and responsiveness from the stewards of their data. 

What are Data Controllers and Processors?

At the core of this GDPR privacy paradigm are the concepts of Data Controllers and Data Processors.

Data Controller

At the most basic level, the data controller determines the purposes for which and the means by which personal data is processed. So, if your company or firm decides ‘why’ and ‘how’ the personal data should be processed, it is the data controller.

Joint Controller

Your company or firm is a joint controller when, together with one or more organizations, it jointly determines ‘why’ and ‘how’ personal data should be processed. Joint controllers must enter into an arrangement setting out their respective responsibilities for complying with the rules. The main aspects of the arrangement must be communicated to the individuals whose data is being processed.

Data Processor

The data processor processes personal data only on behalf of the controller. The data processor is usually a third party external to the company or firm.

According to the GDPR, the duties of the processor towards the controller must be specified in a contract or another legal act. For example, the contract must indicate what happens to the personal data once the contract is terminated. A typical activity of processors is offering IT solutions, including cloud storage. The data processor may only sub-contract a part of its task to another processor or appoint a joint processor when it has received prior written authorization from the data controller.

Privacy Considerations when Selecting a Partners or Vendor

1. Understand what data they will have access to and where it will be stored.

Many companies use offshore resources to access the personal information associated with your client or claimant to keep costs as low as possible.

2. Make sure you understand exactly how the claimant/client data will be used.

Data aggregation and other analysis are incorporated into many corporate tailored solutions. Do you want to subject your claimant or client data to these processes?

3. Breach Response, Data Governance, Risk Assessment, and Compliance Management should all be primary areas of concern for your prospective partner.

Are they ready for any kind of breach? How do they govern access to the data? How are they documenting the processing activities around your data so that you can put governance processes in place? An important part of this is assessing the risks around that data and then demonstrating compliance at the end.