The introduction of the GDPR is going to have a significant impact on the insurance industry.
On the commercial side, demand for dedicated cyber and data breach insurance policies is already growing, and will continue to grow until the regulation comes into force in May next year and beyond.
But the biggest effect is going to be on how the industry deals with the processing of sensitive personal data, where there are specific issues.
The GDPR will introduce new, more stringent requirements for securing consent when collecting and processing personal data.
Many insurance products and policies rely on personal data being provided for arranging and underwriting purposes and for when claims arise.
Many of these products, such as consumer policies like health or travel insurance, will involve sensitive personal data. Under the GDPR this is termed special category data.
The issues for the insurance industry is that, unlike the healthcare sector for example, there is no specific grounds under the GDPR for processing sensitive personal data.
The insurance industry is concerned about this and the effect it could have on its ability to provide certain policies.
The Lloyd’s Market Association has sought clarity and coordinated an industry response from the Information Commissioner’s Office (ICO).
It said either the ICO’s guidance must clearly acknowledge and allow consent to go hand-in-hand with the provision of the service, or the industry needs a dedicated legal ground for processing such data.
There are a number of other provisions of the GDPR that the industry must be aware of. One of these is the right to be forgotten, known as ‘the right of erasure’.
Article 17 of the GDPR provides data subjects with a new enhanced right to request access to and deletion of their personal data.
Data subjects do not need to prove damage or distress or inaccuracy for this to happen; data controllers must delete personal data on request under a number of specified grounds, including where the personal data is no longer necessary for the original purpose for which it was collected or processed and if the data subject withdraws their consent and no other legal ground for processing applies.
However, there are a number of grounds on which data controllers can keep personal data, including compelling legitimate grounds, to comply with a legal obligation or to establish, exercise or defend legal claims.
This change will move the balance of power from the data controller to the data subject and potentially give data subjects an unrealistic expectation of their rights.
Therefore insurers will need clear reasons, set out in writing, why they are keeping personal data.
Data portability is another new right under the GDPR that will impact the insurance industry.
Article 18 of the GDPR introduces a new right for data subjects that means that, on request, a data controller must provide the data subject with a copy of their personal data in a structured, commonly used and machine readable format and not hinder the data subject’s transmission of personal data to a new data controller.
This means that insurance policyholders can not only request that insurance companies send their personal data but also that they send it to their competitors.
Insurers will need to draft new policies to deal with these requests and ensure they personal data they hold can be easily accessed and converted into commonly used digital formats.
Finally insurers will need to be aware of the new requirement for data breach notification. Currently there is no requirement to report a data breach to the ICO (or anyone else), but the GDPR will introduce mandatory breach reporting.
Data controllers will be obliged to report security breaches to the relevant authority “without undue delay, and where feasible, not later than 72 hours” after it first becomes aware of it.
To comply with this, insurers should review all policies and procedures to make sure data breaches can be detected and managed promptly.
The introduction of the GDPR is both a challenge and an opportunity for the insurance industry. It is essential now that we ensure we are fully prepared for the change to come, for ourselves and our customers.
By Mike Steeds, Operations Director at Prescott Jones
European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.