Data privacy

At Sampo Group personal data is processed in a lawful, fair, and transparent manner. The aim is to ensure that the privacy of the customers, employees, shareholders, and other stakeholders is not breached. The insurance sector, which is a highly regulated industry, is characterised by a high amount of personal data processing. Sampo Group can face business risks, operational risks, and reputational risks if it fails to comply with data privacy regulations and guidelines.

Governance

At Sampo Group, the guidance documents regarding data privacy are the Sampo Group Code of Conduct and the Sampo Group Data Privacy Statement, which are both reviewed annually, and approved by the Board of Directors of Sampo plc. In addition, each Group company has adopted supplementary policies and guidelines for its own purposes, and has data privacy frameworks or similar procedures that help create a culture of commitment to data protection. The procedures include, for example, awareness-raising, reporting structures, screenings, impact assessments, security measures, and data processing agreements.

At Sampo Group personal data is processed in a lawful, fair, and transparent manner. The aim is to ensure that the privacy of the employer, employees, customers, and other stakeholders is not breached. Reporting on data privacy is provided regularly to the CEOs and Board of Directors of respective Sampo Group companies. Sampo Group also has incident investigation and processes for corrective actions in place.

Sampo Group uses awareness-raising activities offered to employees and contingent workers to prevent and mitigate user risk. Such activities include mandatory data privacy training, refresher courses, data protection impact assessment (DPIA) courses, and privacy by design and default courses. These activities help employees and contingent workers understand appropriate data protection, and the risks associated with their actions. In addition, the intranet is a source of information for all employees and contingent workers, offering practical help, contacts, training, guidelines, and information on data privacy processes and methods.

When third parties handle personal data on Sampo Group’s behalf, it is done in accordance with applicable data protection laws, and Sampo Group enters into a data processing agreement (or similar). The agreement states how suppliers and, if applicable, sub-suppliers shall handle Sampo Group’s data. Third-party data processors are assessed regularly.

Incident reporting and providing remedy

Sampo Group ensures that incident investigation and processes for corrective actions are in place. Sampo Group has operational measures to monitor and respond to data incidents and breaches. Escalation processes are in place to engage the DPOs and other senior roles. Data breaches are analysed, handled, documented, and reported, when necessary, within the 72-hour requirement. The risk to the data subject is identified, analysed, and evaluated, resulting in appropriate measures. Evidence of each data breach is recorded to fulfil the accountability principle.

Data breach trends are addressed in information security committees to identify possible risk management synergies between data privacy and information security, such as weighing up the probability of occurrence, damage, or risks to the rights and freedoms of data subjects.