VidInsurance Announces Full Compliance with the New General Data Protection Regulation (GDPR) from the European Union.
If you have been paying close attention to the media around security and privacy lately, you’ve probably read something about the General Data Protection Regulation that will be taking effect this month in the European Union. The GDPR is the biggest change in data privacy law in the last 20 years and it will impact how businesses are required to handle, process and store the personal data collected from EU citizens.
The regulation has now taken effect and VidInsurance is happy to announce that we are officially compliant with all the requirements put forth by the GDPR.
These new regulations extend far beyond the European Union itself. GDPR must be addressed by any company, whether in Europe or abroad, the has some form of their business within the borders of the EU. How Does GDPR Affect You and What Is It?
Long overdue, the GDPR arises out of the EU’s previously existing privacy legislation, the Data Protection Directive, from 1995. GDPR’s role in EU law is to protect their citizens from privacy and data breaches in a way that compliments the evolving realities of a data-driven world. The goal is to give more control surrounding the personal information of citizens that is collected and stored by organisations they engage with online.
If you process data of EU residents, then GDPR applies to your business practices and this includes non-EU organisations that offer goods or services to citizens of the European Union. The goal of this new legislation is to strengthen the rights citizens have to how their personal data is both handled and stored. As we move forward, those EU citizens will have the right to demand organisations reveal and/or delete the personal data they have on them. In addition to this, consent to store data will now have to be explicit and informed. There are hefty penalties associated with non-compliance, reaching as high €20M, or 4% of an organisation's global revenue, the greatest value being the determined penalty.
Your team can remain confident that VidInsurance is now 100% compliant with the rules and regulations set forth in the new GDPR legislation.
Understanding the General Data Protection Regulation and How it Relates to Video Insurance Software
The General Data Protection Regulation has been a long time coming. It represents an important update to the existing privacy legislation: the Data Protection Directive, established in 1995. The GDPR aims to improve the protection of EU citizens against major privacy breaches in a world that is increasingly data-driven.
Before we jump in, it’s important to note while this document can be helpful in ensuring your company’s compliance with the GDPR when using the VidInsurance Platform, we recommend you consult with your legal team to make sure all bases are covered.
You’ve Heard About The New Regulations, But What Do They Mean For Your Teams?
Interviewees represent an important source of data (data subjects) – your interviewees can be identified through their personal data, the information they provide before or when completing a video interview may include sensitive information like their names, user credentials, addresses and/or phone numbers. The GDPR was put in place to strengthen the rights of individuals with regard to this kind of personal data.
A cloud-based platform like VidInsurance collects, processes and stores interviewee data for a specific purpose (claims). The process relies heavily on collecting data from interviewees to help make informed decisions.
Who is affected by the GDPR and What Are the Consequences of Non-compliance?
The GDPR applies to any organization that processes the data of EU citizens. To be specific in the context of insurance and video interviewing software, it applies to any company, within or outside the EU borders, that interviews (and processes the data of) interviewees from Europe. The new legislation was passed in 2016, but companies were given a 2 year grace period to prepare for the imminent changes. As of May 25, 2018, compliance to GDPR requirements is compulsory, with fines reaching unprecedented heights; the maximum penalty for non-compliance is set at a staggering €20M, or 4% of a company’s global revenue, whichever number is higher.
Rights of Individuals with Regard to Their Personal Data
Under the GDPR, interviewees can request to be forgotten or to have their data revealed/rectified – Individuals will now have the right to demand that organizations delete from their systems the personal information that they have on them. The company will be fully responsible for compliance with these rights and will have to delete the information within 30 days of the candidate’s request. Interviewees will also have the right to ask your company to reveal the data it holds on them at any time and rectify inaccuracies if they feel the need to do so. In either case, the company will need to provide a digital copy of said data to the interviewee within 30 days of his/her request.
Why Do Companies Collect And Store Data?
Every time you access the web, log into a website or software platform, complete a survey, open a new account, fill out a questionnaire or provide information of any kind online, your data is being collected, often solely for the purpose of resale. In VidInsurance’s case, we use the data we collect to screen interviewees and gather relevant information for the claims process. In any instance, it is known data collection helps consumers and businesses alike. On one hand, companies gain valuable insights into their customer demographics, on the other, consumers get products and services tailored specifically to them. The problem arises when people’s privacy becomes compromised. Sensitive information is collected, stored, exchanged and/or possibly lost, exposing individuals to potential abuse such as fraud or identity theft.
How to Configure VidInsurance’s Video Interviewing Platform to ensure GDPR Compliance
The changes your team will likely see in their day-to-day
It is important to understand under the GDPR, in order to collect data from interviewees, the intent must be explicit and justifiable. Your team can only source claim-related information as necessary and needs to obtain informed consent from interviewees before doing so.
Obtaining Consent from Your Interviewees
The GDPR will require interviewees to provide informed and explicit consent to very specific terms when providing information to data processors. There can be no confusion as to what the candidate is giving his/her consent to. The message needs to be crystal clear.
Ensuring your Software Vendors are GDPR Compliant
Data processors can have access to all of your interviewee’s data. It is important to make sure your software partners intend to protect your interviewee data the same way you do and have also updated their procedures and privacy policies to ensure compliance.
Accountability and GDPR Compliance
After a two year transition period from the Data Protection Directive to the GDPR, your business is now fully accountable for its compliance with the new regulations. On top of that, your organization is also responsible for who it engages in business with. If a vendor or contractor you do business with falls short of compliance for any reason, you could be held responsible.
Transparency in the Interviewing Process
It is important to highlight that you are planning to collect data from your interviewees for claims purposes only and outline how long you intend to keep this data in your systems. If you require additional information throughout the claim process, for example, a review of an interviewee’s social media profiles, make sure this is also properly defined in the terms and conditions.
VidInsurance Video Interviewing Platform – GDPR Workflow Set Up
When it comes to processing/storing interviewee data within your VidIsurance System, you have two options:
Option 1: Request Permission to Keep Interviewee Data on File
If you wish to keep interviewee data on file past the point of the claims process, you must ask each interviewee specifically to opt-in to having their data kept within your VidIsurance database for an extended period of time, which must be explicitly defined. Using a simple checkbox at the time of an interviewee’s video interview is not an acceptable means of obtaining consent. The interviewee must be asked by email (at a later date) and then will need to log in to VidInsurance in order to confirm that, in fact, it is acceptable for their data to be kept on file. If you would like this extra step to be set up within your VidInsurance workflow, we can assist you with the process to ensure compliance with these new GDPR guidelines.
Option 2: Do Not Keep Interviewee Data on File
For interviewees who do not affirmatively confirm consent to have their records kept on file, you have to delete their profiles soon after the claims process, within the timeframe necessary to make claims decisions, as explained to the interviewees prior. To delete these interviewees, your team will have to manually remove them from the system with a group setting within the VidIsurance platform, which we can help you set up. All your team will need to do is archive them individually and then there will be an option to delete them all at once.
Privacy Policies and Processing Interviewee Data
VidIsurance has also appointed a Data Protection Officer (DPO) that can be contacted at email@example.com to assist with any of the requests that your organization might receive.