The New General Data Protection Regulation: What is the Effect on the Insurance Industry?
Collection of personal data from clients is vital to many industries, including the insurance sector. Gathering this sort of information allows brokers and underwriters to offer clients the most suitable products available, meaning that policyholders receive the best service. The Data Protection Directive of 1995 has offered some level of protection to customers and clients, meaning that when they share their personal details with companies, their details are secure.
However, the DPD has long been considered outdated by many, with concerns that the directive has not kept up with the risks associated with cybercrime. Only 74% of businesses consider cyber security a high priority (with only 31% defining it as “very high.”[i] However, 46% of UK businesses have identified a cyber breach over the last 12 months. [ii] In 4% of cyber breaches, personal data was destroyed, altered or taken. [iii]
Last year, the EU adopted a new regulation; the General Data Protection Regulation (GDPR), which will be enforceable across the EU (and for any companies trading within the EU) from May 2018. This new regulation will allow individuals to have much more control over the data that is collected about them. Huge fines can be imposed for organisations that don’t follow the new legislation.
How does this affect the insurance industry?
The insurance industry uses personal data from clients to ensure a client centred service, offering packages aimed specifically at their customers (or prospective customers). The sharing and use of data between brokers and insurers is vital to the smooth operating of these companies. However, some changes may be required in order to remain compliant with the new legislation.
Tightening of cyber security
It is likely that data security is already a prominent consideration for many insurance companies.
The financial and insurance sectors already have a better track record with data security than many other sectors. Within the last year, 49% of organisations in the financial and insurance industries have given staff training on cyber security. This is far higher than the average for businesses across all sectors, which is 20%. [iv]
However, it is important to be aware that companies may have more responsibility for data security than ever before under the new regulation, as well as stricter fines being in place for breaches of security. It will be obligatory to notify the Supervisory Authority in the case of any data breaches. The individuals concerned must also be informed – unless the information has been anonymised or encrypted to ensure that the data is unusable. Therefore, tightening cyber security and encrypting personal data should be a priority for companies.
Until now, customers have not always been clear on exactly what the data that they provide is being used for, who it is shared with; or even that the data is being kept at all. Many companies have included pre-ticked boxes indicating consent for data sharing, with customers having to carefully read all the information and “uncheck” the box, if they prefer for their data not to be shared.
However, under GDPR, customers will have to actively consent to have data stored and shared and to be clear on where and how the data is being used. They should also have the “right to be forgotten” – meaning that they should be able to request for all their details to be deleted. The Information Commissioners Office has produced a 39 page document on the detail of the issue of consent within personal data use, which all businesses will need to comply with. [v]
While some businesses may be concerned that this will be complicated to put into practice, many companies will find that they already comply with much of the guidance. There is also an opportunity here; for insurance companies to explain to clients why they require personal data, and the ways in which it can make them more efficient operators. In the long term, this should foster customer trust and loyalty.
Known as “data portability,” this aspect of the new regulation could require new ways of storing data for companies. It gives individuals the right to transfer their personal data from one organisation to another. For an insurance company, this may mean that if the policyholder wishes to move to another insurer, the original insurance company should be able to transfer the data to the new provider, then delete the client details from their own system. This means that data needs to be stored in commonly used formats that are machine readable.[vi]
Recording processes and educating staff
Many insurance companies may find that they are already compliant with much of the regulation, but it is important to record information correctly in order to evidence that systems and processes are set up to protect data as per the new legislation.
Large organisations, or organisations processing lots of data will need to appoint their own Data Protection Officer. Even smaller organisations may wish to have someone taking on this role, to ensure that they stay compliant with the regulation.
Staff will need to be aware of new processes, as well as of what information they need to communicate with customers prior to recording any of their data. Staff dealing directly with clients will need to be able to communicate well to ensure that customers are not confused by the new legislation. Specialist recruitment agencies such as Aston Charles can help your company to find staff with an awareness of the GDPR and excellent customer service skills.
Get professional advice
We recommend that insurance brokers and insurance companies enlist specialist help from a consultant or solicitor to ensure that all aspects of the new regulations are being adhered to within their business.
The impact on the insurance sector
Complying with the new data protection laws may be challenging initially, as systems and processes are updated, and employees are re-educated to ensure the business is fully compliant. However, done well, businesses will find that in the long term, reputation and loyalty will increase as customers are confident that their data is safe and protected.
[ii]Klahr, R., Shah, J., Sherrifs, P., Rossington, T., Pestell, G., Button, M., & Wang, V, 2017. Cyber Security Breaches Survey 2017. 1st ed. London: Department for Culture, Media and Sport, p39.
[iii] Klahr, R., Shah, J., Sherrifs, P., Rossington, T., Pestell, G., Button, M., & Wang, V, 2017. Cyber Security Breaches Survey 2017. 1st ed. London: Department for Culture, Media and Sport, p43.
[iv]Klahr, R., Shah, J., Sherrifs, P., Rossington, T., Pestell, G., Button, M., & Wang, V, 2017. Cyber Security Breaches Survey 2017. 1st ed. London: Department for Culture, Media and Sport, p29.
[v]Information Commissioners Office, 2017. Consultation: GDPR Consent Guidance
[vi]Information Commissioners Office, 2017. The right to data portability | ICO. [ONLINE] Available at: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/individuals-rights/the-right-to-data-portability/. [Accessed 17 November 2017].