Information to our customers about Optimum Insurance Consultants Oy (“OPTIMUM”) preparations for the new General
Data Protection Regulation.
ON 25 MAY 2018 the EU’s new General Data Protection Regulation (GDPR) will take effect. As OPTIMUM processes large amounts of data, including data regarding our customers’ financial circumstances, we view this as an important milestone. Many customers have asked us what preparations we are making for the implementation of the new regulation, and we have therefore produced this information to answer the most frequently asked questions.
Does OPTIMUM act as data controller or data processor?
Insurance brokerage is a licensed activity that is subject to detailed legal regulations. This means that we have legal obligations under various regulations to process our customers’ personal data in certain ways. We may, for example, have an obligation to store data in the form of advisory documentation or to perform checks for the prevention of money laundering. To meet these requirements, we need to have control over the personal data that we process in our activities. As a data processor is only permitted to process data on the instructions of a data controller and on the data controller’s behalf, it is not possible for us to act as data processor and at the same time live up to the rules that apply for our business. We therefore act as data controller for the processing that takes place within the context of our insurance brokerage services.
We of course only process our customers’ personal data to the extent that is required to fulfil our
agreement with each customer and in accordance with the rules that apply for our business.
How is OPTIMUM preparing for GDPR?
To ensure compliance with the General Data Protection Regulation, we have initiated a project covering:
- training/awareness raising
- analysis of the current legal situation
- and implementation of necessary measures, and
- Development of processes for compliance over time.
This means, for example, that all key systems and databases in which personal data is processed are being reviewed with regard to the relevant GDPR requirements to identify any necessary measures. We are also reviewing all our partnerships with companies that process personal data on our behalf, for example through storage in external server farms, to ensure that these live up to all the new legal requirements.
What is OPTIMUM doing to meet the new information security requirements in GDPR?
We are updating our IT security policy and our guidelines to meet the GDPR requirements. Our policy includes rules on physical security, secure log-in, access control, secure data transfer, logging of data processing, protection against intrusion and malicious code, back-up, etc. We are also implementing measures aimed at meeting the requirements and work methods provided for in the international information security management standard, ISO 27001, and are continuously training our staff in how to deal with the information security requirements.
Where does OPTIMUM store its data?
We store data in server farms located in Finland and the EU/EEA. If information is in any case
disclosed to a data processor, this information may only be stored in a controlled manner in
accordance with instructions issued by us in Finland and the EU/EEA.