Three-quarters of insurers are unprepared for the new General Data Protection Regulation, called a data protection timebomb
Only one in four insurers will be adequately prepared for sweeping changes to data protection laws, that could result in huge fines, increased fraud and the rise of a new class of ambulance chasing CMCs. A data protection timebomb.
From May 2018, regardless of Brexit, insurers will be governed by the new General Data Protection Regulation (GDPR), the EU’s new framework for regulating data protection for individuals within the EU, as well as how that data is exported out of the union.
Insurers and brokers will see major changes regarding how they collate, process and store the data they collect from customers.
The new rules include punitive fines of up to 4% of turnover or €20m (whichever is higher) for companies found either suffering a data breach or failing to respond swiftly to it.
GDPR will grant new powers to customers to protect and access their data while placing massive new burdens on businesses to manage customer information. Individuals will also have to right to be erased from the record, or forgotten, if no longer a customer.
All companies will have to report any data breaches to the regulator within 72 hours; and companies with over 250 employees will have to appoint a dedicated data protection officer.
Potential breaches range from sending client information via email without their consent, to data theft by hackers and ransomware attacks.
“GDPR will be a eureka moment for the industry,” says Craig Watson, cyber trading risk underwriter at RSA. “If you’re not talking about this, it will be a disservice to insurance. We need to act now.”
The insurance industry will be hit by increased costs to bring their data management systems in line; they will face possible fines for breaches; and their revenues could be hit by restrictions on direct marketing activities based on user profiling.
There are also concerns about potential claims from insured clients who are also exposed to the regulation, in particular SMEs.
DAC Beachcroft partner Emma Bate says GDPR could pose an issue for insurers looking to use data such as credit checks or claims histories to price policies unless changes are made to the way the regulations are implemented in the UK.
“If an insurer is going to process personal sensitive data then it has to get explicit consent [from the customer],” she says. “For most insurance policies, processing personal sensitive data is required - you can’t provide insurance without it.
“Things like anti-money laundering checks, health checks or claims histories are important, and this information needs to be collected. So one option we are exploring is conditional consent, where insurers say to individuals: ‘If you want this product you have to give us consent, and if you don’t you can’t have this product’.”
But for now, this option is not guaranteed, so Bate is working with the insurance industry to lobby for changes to the way GDPR is applied in the UK.
“We are hoping, with the LMA and maybe the ABI and Biba, to get an extra option for insurers looking to get consent. But we are only at the beginning of that process.”
Need to transfer
One issue for insurers and reinsurers is that they often do not have direct contact with the policyholder, whose point of contact is with a broker. In such cases, the broker would need to take responsibility for obtaining consent for all parties in the insurance chain.
The incoming regulations means that any data collected as part of an insurance policy will also need to be transferrable between insurance providers, something that has long been a problem for the telematics market as consumers look to take their driving history to a new policy when they switch.
“The whole purpose of this is to encourage switching between products,” Bate says. “This means the information you provide as part of the application for a policy, as well as information that you generate – such as telematics data – is covered by GDPR, so must be transferrable.
“There is, however, no obligation on insurers to be in a position to accept the data”, she adds. “There are lots of different types of telematics data and, while I’m sure insurers will get on board with this, there is still a lot of work to be done to make sure that they are ready to receive that data and provide quotes based on that data.”
“Compliance is the responsibility for any party that manages personal data, and the ultimate owner must ensure that if they pass that data to third parties or brokers, the appropriate systems are in place – either by them or the third party. There needs to be an audit trail,” says Dharmendra Patel, head of strategy and finance at Pushfor, a cloud-based data management platform.
“For the insurance industry, in areas around profiling and direct marketing the right to be forgotten will have a major impact.”
The right to view all information held about individuals and the right to be forgotten could also impair efforts to combat fraud through including “high risk” profiles in insurance fraud registers, Patel says.
GDPR could also pose problems for insurers and brokers in their increasing use of social media and messaging apps as additional marketing channels.
Patel warns that the new legislation, with the onus being placed on the consumer to contact data holding parties, may give rise to a new breed of claims management companies who will pursue insurers and brokers on behalf of customers affected by data breaches.
High profile breaches have included Morrisons, which paid out £9m to employees following a payroll breach, and Deloitte, which reportedly lost £500m in business after an employee mistakenly sent a Brexit email to a third party which resulted in them losing all government contracts for a fixed period.
The insurance industry has been slow off the mark in preparing for the advent of GDPR.
Other branches of the financial services sector have already begun taking precautions. Some banks are reported to have made financial provision for possible GDPR exposure, setting aside as much as €100m in funds to cover their liabilities, and the big four consultancies, including PwC and Ernst & Young, are said to be already “making millions” in consultancy fees on the subject.
It’s impossible yet to get an accurate estimate of the potential financial impact on the insurance industry, or what level of provisioning insurers and brokers will have to make against potential liabilities.
But it is estimated that, with the maximum fine for data breaches rising from its current level of £500,000 to €20m under GDPR, UK businesses as a whole could face penalties totalling up to £122bn, according to estimates from the Payment Card Industry Security Standards Council.
WHAT THE ICO SAYS:
GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach.
If you are a controller [of data, for example an Insurer], you are not relieved of your obligations where a processor [a broker] is involved – you must ensure your contracts with processors comply with the GDPR. The controller is responsible for, and must be able to demonstrate compliance.
GDPR applies to both automated personal data and to some paper filing systems. This is wider than the Data Protection Act’s definition and could include chronologically ordered sets of manual records containing personal data.
The right to be forgotten: “While this might be challenging, if you process personal information online, for example on social networks, forums or websites, you must endeavour to comply with these requirements.”
The most significant addition is the accountability principle. The GDPR requires you to show how you comply with the principles – for example by documenting the decisions you take about a processing activity. You must:
Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
Maintain relevant documentation on processing activities. Where appropriate, appoint a data protection officer.
Implement measures that meet the principles of data protection by design and data protection by default. Measures could include: data minimisation, anonymysing data through using pseudonyms; increased transparency; allowing individuals to monitor processing; and creating and improving security features on a continuing basis.
Use data protection impact assessments where appropriate.
[personal data shall be] accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Consent under the GDPR requires some form of clear affirmative action. Silence, pre-ticked boxes or inactivity does not constitute consent.
Consent must be verifiable. This means that some form of record must be kept of how and when consent was given.
Individuals have a right to withdraw consent at any time.
Implementation of the GDPR will require a review of consent mechanisms to ensure they meet the standards required under the legislation.
It is important that you determine your legal basis for processing personal data and document this.
This becomes more of an issue under the GDPR because your legal basis for processing has an effect on individuals’ rights. For example, if you rely on someone’s consent to process their data, they will generally have stronger rights, for example to have their data deleted.
When does GDPR come into force?
The regulations were approved in April 2016, but the new rules do not come into force until 25 May 2018, meaning insurers have only a year to get ready to comply with the regulations.
How will I handle personal sensitive data?
Privacy notices will need to be issued to customers obtaining consent to collect, store and process their data. This will be more detailed than the current requirements under the Data Protection Act.
What happens if my company suffers a breach?
The ICO will need to be notified of any breach within 72 hours, a strict requirement that will undoubtedly mean insurers will have to provide a basic notification within the time period stipulated by the GDPR and then update them on the situation as more information comes to light.
What opportunities does GDPR bring?
Underwriters will be able to use clearer criteria to cover underwrite cyber risk. According to Ryan Specialty Group (RSG) Europe cyber president Jamie Bouloux the new rules will help to make cyber products more relevant.
“Now you are insuring clauses that will be aligned to support clients’ privacy exposure. There will be a benchmark for what privacy and liability looks like in Europe. If anything it will allow for more transparency as to the product and proposition.Bouloux says the firm is working on making its cyber policies more relevant to GDPR.