Data privacy

At Sampo Group personal data is processed in a lawful, fair, and transparent manner. The aim is to ensure that the privacy of the customers, employees, shareholders, and other stakeholders is not breached. The insurance sector, which is a highly regulated industry, is characterised by a high amount of personal data processing. Sampo Group can face business risks, operational risks, and reputational risks if it fails to comply with data privacy regulations and guidelines.

Governance

At Sampo Group, the guidance documents regarding data privacy are the Sampo Group Code of Conduct and the Sampo Group Data Privacy Statement, which are both reviewed annually, and approved by the Board of Directors of Sampo plc. In addition, each Group company has adopted supplementary policies and guidelines (e.g. data privacy policies, information security policies, ethics policies) for its own purposes, and has data privacy frameworks or similar procedures that help create a culture of commitment to data protection. The procedures include, for example, awareness-raising, reporting structures, screenings, impact assessments, security measures, and data processing agreements. The ultimate responsibility for the implementation of the group level principles and company-specific policies and processes lies with the management of each individual Sampo Group company. Reporting on data privacy is provided regularly (e.g. quarterly, when deemed necessary) to the CEOs and boards of directors of respective Sampo Group companies. 

When third parties handle personal data on Sampo Group’s behalf, it is done in accordance with applicable data protection laws, and Sampo Group enters into a data processing agreement (or similar). The agreement states how suppliers and, if applicable, sub-suppliers shall handle Sampo Group’s data. Where relevant, Sampo Group also ensures that the contractors have data protection policies in place. Third-party data processors are assessed regularly. Sampo Group may, to a limited extent, transfer or allow access to data outside the EU/EEA. This is always done in compliance with applicable data protections laws. 

Sampo Group conducts quarterly risk assessments on its technologies and practices affecting user data. Each data processing activity registered in the Records of Processing Activities is also reviewed annually. In addition, in line with the GDPR, Sampo Group conducts monitoring activities and risk assessments whenever deemed necessary, focusing on specific areas of interest. Internal audits related to data privacy are conducted with varying frequency and scope.  

Sampo Group offers mandatory and regular (e.g. annual) awareness-raising activities to employees and contingent workers to prevent and mitigate user risk. Such activities include mandatory data privacy training, refresher courses, data protection impact assessment courses, and privacy by design and default courses. These activities help employees and contingent workers understand appropriate data protection, and the risks associated with their actions. In addition, Sampo Group’s intranet pages are a source of information for all employees and contingent workers, offering practical help, contacts, training, guidelines, and information on data privacy processes and methods. 

Incident reporting and providing remedy

Sampo Group ensures that incident investigation and processes for corrective actions are in place. Sampo Group has operational measures to monitor and respond to data incidents and breaches. Escalation processes are in place to engage the DPOs and other senior roles. Data breaches are analysed, handled, documented, and reported, when necessary, within the 72-hour requirement. The risk to the data subject is identified, analysed, and evaluated, resulting in appropriate measures. Evidence of each data breach is recorded to fulfil the accountability principle.

Data breach trends are addressed in information security committees to identify possible risk management synergies between data privacy and information security, such as weighing up the probability of occurrence, damage, or risks to the rights and freedoms of data subjects.