Insurers warned again GDPR could spark claims avalanche against them

GDPR could bring an avalanche of claims similar to what we saw with PPI, insurers have been warned.

Independent insurtech company Auger believes GDPR could be the new PPI in terms of claims for misuse of customer data.

Auger’s warning echoes statements last November from law firm DAC Beachcroft, which said that a torrent of claims across Europe is “likely” from 25 May 2018, when the new regulations come in.

“If there is one finding I would highlight over others, it’s that over 80% of jurisdictions expected compensation claims for data protection breaches to increase under the GDPR,” explained DAC Beachcroft partner and head of cyber and data risk, Hans Allnut.

Now, head of technology at Auger, Neil Wilks warns that people who suspect insurance companies may be storing or processing data illegally will almost certainly be encouraged to pursue a claim much in the same way as PPI claims.

He said: “For the insurance industry, GDPR is a big shake-up, and will cause significant disruption to how insurers store, manage and process personal data. They could find themselves on the wrong end of various legal scenarios if they don’t put their house in order.

“They will face claims cases that are genuine where there has been negligence and damaging effects of misuse by the company of an individual’s data, and there will also be the no-win no-fee scenario.

”The ‘ambulance chasers’ will want to maximise it just as many have done with PPI.”

Meanwhile, Ash Patel, technical director at RWA Consultancy who gave a presentation at the Insurance Times Cyber Insight conference in November 2017, said that most companies have made big strides in the past few months to be ready.

He said: “We are in a much better place than we were in November. In the past couple of months, we have seen a surge in activity by most of the companies we work with.

He continued: “I don’t think we will see claims relating to GDPR in the same scale as we did for PPI. It might be for software companies and global firms. If a big, global firm shows blatant negligence, then the Information Commissioner’s Office (ICO) will come down hard on them. They could have a fine of £20m or 4% of their GWP, which is huge.”

Customers will be entitled to ask insurers to delete their personal data where it is no longer required for its original purpose, or where they have withdrawn their consent. Under the GDPR, insurance customers can request for their personal data to be transferred to a competitor.

If there is a data breach for whatever reason, the legislation allows 72 hours to report it. Fines for non-compliance of the GDPR could be up to 4% of total annual turnover.

Wilks warned that PPI claims cost the banking industry around £30m-£50m a year and that GDPR could show similar figures if companies are not prepared for the changes when they come in.

He continued: “As insurance companies often both control and process data they need to be fully prepared for the new rules to come into effect.”

Patel doesn’t think it will be as big of an issue as Auger fears:

”There will be slippage but generally, there is good progress. There will be a period where companies are still getting used to the changes, but I don’t think it will be too long.”

And even if there is a cause for a claim, Patel thinks the likelihood of a claim going to court is minimal.

“I think it will be very hard for the man in the street to bring a claim. Unless there is blatant negligence or a breach of their duties.

”And if there is cause for a claim, we won’t see anything until the tail-end of the year.”