Introduction

The General Data Protection Regulation (GDPR) is the biggest shake-up to data protection laws in Europe in over twenty years. GDPR came into force on 25 May 2018 and is designed to create a single set of requirements across Europe that give individuals more rights and control over how organisations can process and store their personal information.

At Bupa Global we take privacy and data protection seriously. Part of our vision statement is to respect everyone’s individuality, culture, privacy and dignity. As part of this, we consider information to be key to our business and understand that customers trust us to keep their personal information safe.

We’ve set out below a few FAQs that we have received about Bupa Global’s preparations for GDPR.

How has Bupa Global been preparing for GDPR?

We take privacy and data protection very seriously at Bupa Global. In line with our Bupa Code we respect everyone’s individuality, culture, privacy and dignity. As part of this, we consider information to be key to our business and understand that our customers and our people trust us to keep their personal information safe.

To make sure the business continuously improves, Bupa Global has been preparing for the GDPR for some time by running a readiness programme which brings together privacy, IT, legal and compliance expertise to review our business processes, IT and organisational controls, customer literature, and third party arrangements against the new requirements. Our preparations continue to respond to the evolving regulatory environment and the guidance we expect over the coming months from privacy regulators in Europe and beyond. We see privacy as something that goes beyond GDPR and is a part of business as usual at Bupa Global.

Although the GDPR is European legislation, the changes we are making will in some cases have effect for our customers, suppliers, partners and brokers beyond the UK and Europe.

Does GDPR apply to Bupa Global’s brokers?

It may do.

GDPR applies to data controllers and data processors and can apply to those based within the European Union and outside the European Union. The GDPR will apply to businesses established in the European Union and businesses based outside of the European Union that offer goods or services in the EU or monitor the behaviour of EU citizens, irrespective of whether the business has a presence in Europe.

Under GDPR, is Bupa Global acting as a data processor for its brokers?

Bupa Global cannot provide an absolute answer as arrangements may differ. Bupa Global provides a wide range of services to both individuals and companies. In privacy terms, Bupa Global is generally acting as a data controller when delivering these services, rather than as a data processor.

In order for Bupa Global to provide international private medical insurance services, Bupa Global determines what personal information it requires about individual members. This includes determining the personal information that is required to provide the services and how it is used (e.g. what personal information is used to price premiums and underwrite, how personal information is used to manage claims and provide benefits). When Bupa Global is making these decisions, Bupa Global is acting as a data controller.

We consider that brokers will generally also be data controllers. This is because brokers are usually making decisions about personal information they collect, the purposes for which personal information is processed and the way in which it is processed.

Brokers act as agents of the insured party. Generally, each broker determines what personal information they need to collect prior to providing such personal information to Bupa Global in order to arrange an insurance policy. The broker will retain the personal information and continue to control how it is used (e.g. to send marketing to individuals). On this basis, the broker would also be a data controller.

What does it mean if Bupa Global and a broker are each data controllers?

Under GDPR, where Bupa Global and a broker each act as data controllers, each party has responsibilities for the ways in which we collect, use, store and delete personal information. We each need to determine for ourselves how the law applies to us and what we need to do. For our brokers, this may mean that they need to make some changes to the ways in which they operate, review their current processes and consider their privacy culture.

At Bupa Global, we see compliance with GDPR as part of doing the right thing for customers, rather than just compliance with a legal obligation.

Will Bupa Global be changing its agreements with brokers?

Yes, Bupa Global will be updating our agreements with our brokers as required in order to reflect changes to privacy law under GDPR. This does not mean that all of our brokers will immediately receive new agreements, as we may already have GDPR-ready terms in place.

Will Bupa Global be updating its Privacy Notice?

Yes, we have updated our privacy notice available on our website and are updating all of our guides and other materials in line with GDPR requirements.

Will Bupa Global complete broker’s GDPR readiness questionnaires?

As Bupa Global generally acts as a data controller for the provision of our services, we will not complete questionnaires that are designed to carry out due diligence on data processors. When processing personal information as a data controller Bupa Global has direct legal obligations for compliance with relevant data protection laws as well as complying with our internal privacy standards. We recognise, however, that our customers wish to ensure that all of their service providers are committed to safeguarding information to the highest standard. We are happy to discuss specific areas of concern, and brokers should raise any such issues with their usual Bupa Global contact.

What frameworks are in place to ensure that Bupa effectively manages privacy issues?

Bupa Global’s privacy framework is built out of Bupa’s enterprise level privacy, information security and risk policies.

Bupa Global’s policy and governance structures relating to privacy are designed with the accountability principle of the GDPR in mind.

Our enterprise level policies on information risk and privacy govern the approach Bupa Global takes to ensuring that privacy issues are effectively managed within the business. Regular risk assessments are carried out, which feed into our broader risk registers and committees, ultimately reporting to the Bupa Board Risk Committee.