With the regulation coming up—and yes, it is coming up; indicators show it, so get ready—the French data protection agency (CNIL) has taken a new turn. It underwent a reorganization leading to the creation of a compliance directorate (direction de la conformité), whose goal is to support data controllers towards compliance.

As such, it has released a new toolkit,  promoted by the compliance directorate as a compliance pack (pack de conformité), a set of documents addressing the issues specific industry sectors face. A pack includes standard notifications or standard authorizations corresponding to the routine data processing practices of the industry at hand as well as guidance including best practices. They were drafted after consultation of representatives of each concerned sector.

The compliance directorate has this year already issued two packs, one for welfare accommodation and one on smart meters.

On November 12, the new compliance pack for the insurance sector was presented to the public by the CNIL and the Fédération Française des Sociétés d’Assurance (FFSA) as a proactive approach in a very competitive sector, which is more and more data-driven, where it is necessary to develop practices to gain consumer trust.

The pack includes a standard notification (NS 16) for conclusion and management of insurance contracts, which acknowledges all specificities of the profession, including the need for geolocation of individuals in need of care; the processing of health data, and the retention of data about offers even if the contract is not concluded.

Regarding customer relationship management, the standard notification NS 56 enables an entity of an insurance group to share customer data with other entities of the group in order to have a full vision of the customer. It is now expressly acknowledged by the CNIL that insurance companies may process data relating to offenses through the standard authorization AU 032.

Another standard authorization addresses the processing of the Social Security number (AU 031), and last but not least, the standard authorization AU 039 allows processing of data on employees, agents, partners, suppliers and customers for fraud prevention and detection purposes. Data-mining tools can be used to issue alerts based on profiles/scenarios; however, human intervention is necessary to analyse the alerts and decide whether to investigate.

Individuals must receive a notice about the scheme in the contracts binding them to the company or, for employees, in the internal rules.

The CNIL has shown here some flexibility, as it did in the context of the whistle-blowing standard authorization, in considering that there be no obligation to give notice to the individual identified in an alert until the alert is confirmed and a decision having legal effects is made toward the individual after the six months of investigation.

The CNIL announced the creation of a club in order to evolve the elements of this pack over time and to continue the collaboration with the insurance professionals.

Coming up also are compliance packs for the banking sector and social welfare.