Incoming GDPR legislation from Brussels could leave 75% of insurers exposed to fines and fraud
Only one in four insurers will be adequately prepared for sweeping changes to data protection laws, resulting in potentially devastating fines, fraud and the rise of a new class of ‘ambulance chasing’ CMCs, experts have warned.
New data protection legislation from Brussels, known as the General Data Protection Regulations (GDPR), will come into force in May 2018 and includes punitive fines of up to 4% of turnover or €20m (whichever is higher) for companies found either in, or failing to respond swiftly to a data breach. A breach can be defined as loosely as sending information via email about a third party (customer) without their expressed consent, but generally refers to episodes where customer data is at risk of being stolen via intervention from a malicious third party.
The revisions are an extension of the Data Protection Act, and will be implemented regardless of Brexit. They could mean a triple whammy for the industry, which will be hit by costs to bring their data management systems in line; fines for being found in breach; and revenue loss due to new limitations on direct marketing activities, currently based on user profiling. Potential claims from insured clients also exposed to the regulation, in particular SMEs, could also be significant.
GDPR will be a eureka moment for the industry
“GDRP will be a eureka moment for the industry,” said Craig Watson, cyber trading risk underwriter at RSA. “If you’re not talking about this, it will be a disservice to insurance. We need to act now.”
Despite the concerns, several major insurers declined to comment when contacted by Insurance Times.
Privacy by Design
Under the principle of ‘privacy by design’, the law will grant new powers to consumers to protect their anonymity while placing massive new burdens on businesses to manage information both on an ongoing basis and for auditing purposes. Upon request businesses will have a month to respond – or in some cases just three days – detailing all information that they have on the consumer. One scenario involves the right to be erased from the record, or forgotten, if no longer a customer.
The GDPR also requires all companies to report data breaches to the appointed regulator within 72 hours, and requires companies with over 250 employees to hire a dedicated data protection officer.
While the issue has been publicised, industry commentators have said that brokers and insurers have taken few steps to resolve the issue, in particular those with shared service centres, leaving them exposed to prosecution by Brussels via an enforcement arm, likely a government quango. Sources have said that a number of banks have provisioned for this scenario, allocating as much as €100m in funds to cover their liabilities. Another said that the big four consultancies, including PwC and Ernst & Young, were already ‘making millions’ in consultancy fees on the subject.
In November, the Payment Card Industry Security Standards Council warned that UK businesses could face up to £122bn in penalties for data breaches, based on the revision of limits for fines from £500,000 to €20m. However, this refers specifically to breaches resulting in consumer data being exposed, as opposed to businesses failing to notify consumers of any change to their records or responding to requests; in the latter case fines would be lower.
“The guidelines are there and I while I would expect some mitigation, the regulators are likely to enforce the full impact in high profile sectors,” said Dharmendra Patel, head of strategy and finance at Pushfor, a cloud-based data management and messaging platform that effectively allows organisations to meet the new GDPR requirements. Other data protection solutions include recent Startupbootcamp graduate, PORT.
“Compliance is the responsibility for any party that manages personal data, and the ultimate owner must ensure that if they pass that data to third parties or brokers, the appropriate systems are in place – either by them or the third party. There needs to be an audit trail.
The right to be forgotten will have a major impacts
“For the insurance industry, in areas around profiling and direct marketing the right to be forgotten will have a major impacts.”
Opening the door to fraudsters?
The GDPR revisions also could impact the ability of insurers and brokers to maintain information on high risk customers, such as those who are more likely to attempt to submit fraudulent claims.
Under GDPR the right to forget should not apply
“If an individual has committed a fraud that is subject to a higher authority regulation, under GDPR the right to forget should not apply,” Patel added. “However, organisations need to ensure their consents and terms and conditions (T&Cs) make this clear to avoid any ambiguities. If the fraud is not subject to a higher authority, under the right to forget requirements, insurers [will] need to consider how this information can be legally shared with other organisations.”
It is unlikely that amendments to T&Cs, previously used to sidestep changes to data protection requirements, will cover the changes to the law.
“GDPR is giving EU citizens more protection on how their data can be used or not used. It is not there to prevent personal data usage but its misuse,” Patel said. “That’s one of the problems today. You’re always sending stuff, and so you [the data carrier] are exposed.”
It costs a business around £35 per data record to fix a breach, according to Verizon.
As insurers and brokers had evolved their marketing and customer service channels, including the use of WhatsApp, new exposures have been created. Patel also warned that the new legislation, with the onus being placed on the consumer to contact data holding parties, would give rise to a new breed of claims management companies who would pursue companies on behalf of consumers.
High profile breaches include Morrisons, who paid out £9m to employees following a payroll breach and Deloitte, who lost an estimated £500m in business after an employee mistakenly sent a ‘Brexit’ email to a third party which resulted in them losing all government contracts for a fixed period.
Pushfor, which is based in Wimbledon, received £1.2m in Series A funding last year. It effectively anonymises data assets, including personal information, and ensures that the file never leaves the original source by using a cloud-based solution, as opposed to email or messaging platforms which result in assets being duplicated and transfered.
The personal data market is worth an estimated one trillion dollars.
Excerpts from the new GDPR guidelines [quoted]
- The GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach.
- If you are a controller [of data e.g. an Insurer], you are not relieved of your obligations where a processor [e.g. a broker] is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR. … “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
- The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.
- The right to be forgotten: “While this might be challenging, if you process personal information online, for example on social networks, forums or websites, you must endeavour to comply with these requirements.”
- The most significant addition is the accountability principle. The GDPR requires you to show how you comply with the principles – for example by documenting the decisions you take about a processing activity. You must:
- Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
- Maintain relevant documentation on processing activities. Where appropriate, appoint a data protection officer.
- Implement measures that meet the principles of data protection by design and data protection by default. Measures could include:
- Data minimisation
- Allowing individuals to monitor processing
- Creating and improving security features on an ongoing basis.
4. Use data protection impact assessments where appropriate.
5. [personal data shall be] accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
- Consent under the GDPR requires some form of clear affirmative action. Silence, pre-ticked boxes or inactivity does not constitute consent.
- Consent must be verifiable. This means that some form of record must be kept of how and when consent was given.
- Individuals have a right to withdraw consent at any time.
- Implementation of the GDPR will require a review of consent mechanisms to ensure they meet the standards required under the legislation.
- It is important that you determine your legal basis for processing personal data and document this.
- This becomes more of an issue under the GDPR because your legal basis for processing has an effect on individuals’ rights. For example, if you rely on someone’s consent to process their data, they will generally have stronger rights, for example to have their data deleted.