The ABI View: What new EU data rules mean for insurers

The EU Data Protection Regulation may not be the most eye catching title for a summer read, but a once in a generation change to legislating the use of data is currently underway.

The EU Data Protection Regulation entered its final leg in June, with negotiations (known as trilogues) between the European Commission, the European Parliament and the Council of Ministers to reconcile their different versions of the text. Although this is the final stage of the process, the legislation is still some months away from being finalised. However, now is the right time to take stock of the last three and a half years, assess where we’ve got to, and plan for the last sprint (or, more accurately, for the (half) marathon) ahead.

The ABI’s engagement began with the 2010 consultation stage and we have been involved throughout the five year process. Insurers recognise the importance of data privacy and take their responsibility for data protection seriously. Data is at the heart of insurance and it’s important to ensure that insurers can continue to responsibly use data to provide customers with the insurance products they need. Therefore, there was a need to highlight possible unintended consequences which might affect customers, especially since much of the Regulation was designed with social media in mind.

 Key potential problem areas for insurance and its customers:

1. Using individual data The Regulation must allow insurers to access, process, store and share data to continue to offer products. Data enables insurers to price products accurately and provide cover that best meets their customers’ needs, which has been the basis of insurance for hundreds of years. The use of data also enables insurers to prevent and detect fraud, minimising costs for honest customers. In 2014, the ABI estimates insurers detected over 130,000 fraudulent claims, worth £1.3bn, and the Data Protection Regulation should strengthen, not hinder insurers doing this.

2. Underwriting It’s important the Data Protection Regulation does not impede insurers’ ability to underwrite risk. Written with the online context in mind, the provisions on ‘profiling’ could impact the provision of goods and services. Therefore, these need to be proportionate to ensure insurers can still use customers’ data (i.e with their consent, or for the purposes of entering into or the performance of the contract) to provide customers with the products they need.

3. Data portability The Regulation should not force insurers to disclose commercially sensitive information to competitors. The draft legislation seeks to introduce a right to data portability, which arguably is not a privacy issue. If the provisions remain in the final text, the wording must ensure insurers are not required to divulge competitive or intellectual property aspects of underwriting.

4. Right to be forgotten A flagship proposal of the Regulation, the right to be forgotten was written with the social media in mind, but it needs to be fit for purpose in an off-line context. It’s important that the text ensures individuals understand and can meaningfully exercise this right. For example, an insurer may not be able to delete all data it holds on an individual because it has to comply with other regulations (for instance, for anti-money laundering purposes) or in order to pay out a claim at a later stage.

Looking ahead, all of these topics will continue to be discussed by EU policymakers, in line with the agreed roadmap, which sees agreement reached by the end of this year. This could mean the earliest date for implementation of the Regulation would be December 2017.

This timeframe for trilogues is extremely ambitious and some key differences between the negotiating parties remain. However, the political momentum cannot be overstated and there’s a desire to get the text agreed as soon as possible. We’re working towards final agreement in December, but are prepared for the long-haul.

ABI members will be discussing this issue and many more on 9 September at the ABI Data Conference - The bigger the better? Insurance, Big Data and the digital world.