From May 2018, Europe’s insurers face strict new rules governing how client data is handled. As yet, no one quite knows what the real impact will be on how firms go to market; however, it’s pretty clear that the rules will raise the bar significantly in terms of governance and accountability. The General Data Protection Regulation (GDPR) is likely to create some specific issues for insurers, and the consequences of non-compliance could be high, both financially and in terms of potential reputation damage.
The changes are occurring because the GDPR, approved by the European Commission in May 2016, is coming into force. The new rules affect any organisation that holds data on individuals in the EU, including those companies that are not domiciled in Europe. GDPR is being introduced to protect the public from irresponsible and/or inappropriate practices relating to the retention and use of personal data. The rules are also, in part, a response to the new digital economy and the proliferation of data captured via social, mobile and online. The introduction of GDPR will harmonize data protection regulations across all of the EU’s member states.
One thing is for certain. Europe’s insurers should not simply treat GDPR as a compliance exercise. The potential impact of GDPR on the insurance industry is likely to be of far greater significance. The new rules may prove to be an impediment to innovation, restricting the development of new products and services and digital business models. GDPR may also skew the competitive landscape in favour of new entrants, unencumbered as they are by the burden of legacy systems and vast archives of policyholder data. Insurers should carefully consider the potential implications of the new rules on their current and future business models and ensure that they have a strategy in place to respond to the immediate changes and to the evolving landscape.
The main impacts of GDPR?
Under the new rules, companies must disclose any breach of personal data to the regulators within just 72 hours of becoming aware of the breach. Potentially, they must also notify the affected individuals “without undue delay.” This level of responsiveness is likely to be completely alien to many insurers, and GDPR is intended to make companies treat such incidents as a priority. To be able to comply with this obligation, insurers will need to ensure that some effective mechanism is in place to identify and accurately report on breaches.
As a result of GDPR, insurers will also have to meet tougher requirements around the processing of personal data. Insurers will be required to prove that customers have consented freely to their data being retained and have been fully informed about how their data will be used. The implementation of GDPR is intended to minimise the unnecessary capture of personal data, and insurers will be expected to take this into account when designing and implementing new products and services.
GDPR also gives customers the “right to be forgotten” and policyholders will be able to request that an insurer delete their personal data where it is no longer required or in circumstances where they have withdrawn their consent. Policyholders will also be able to ask for their data to be transferred to a new insurer when they switch companies. Insurers will need to have efficient processes in place in order to respond to customer requests effectively and also ensure that mechanisms exist for the swift transfer of data to a third party.
If insurers fail to comply with any of these rules, the regulators will have the authority to fine organisations up to €20m (or 4% of global turnover if higher). Sanctions such as this are likely to ensure that insurers take the new regulations seriously and many within the industry have already appointed Chief Data Officers (CDOs) or Data Protection Officers (DPOs) to oversee compliance.
The impact of GDPR on Europe’s insurers will, however, be felt far more widely than the compliance departments, and firms should not view the changes as just another regulatory burden. GDPR is likely to restrict the way insurance companies are able to use new digital technologies to harvest and analyse data. This is fundamental for much of the innovation currently taking place within the insurance industry and will impact the future plans of many insurers. As a result, the pace of innovation and the type of new products and services coming to market may be detrimentally affected, unless firms earn and develop the trust necessary with the customers, by offering beneficial features, rather than exploitative opportunities.
Established insurers also face being disadvantaged by the complexities of multiple or siloed legacy systems. New entrants, meanwhile, are likely to suffer no such impediments, in light of having far more simple structures and a data strategy at the heart of their business models. Established insurers should, therefore, take stock of the potential implications of GDPR in relation to their current and future business models, and they should ensure that they are working to develop a strategy to respond to the impact of the changes.