6 Challenges Insurers Will Face in the Post-GDPR World
Compliance with EU General Data Protection Regulation (GDPR) is not simply a nice-to-have for insurers…it’s a must (see my previous blog post for background on the regulation). With massive fines and more than a spot of embarrassment and bad press looming for those who are non-compliant with their customers’ personal data ‒ not to mention the loss of customer trust ‒ compliance is nothing short of an existential requirement. But it’s easier said than done…
The Multiple Legacy System Headache
Companies with multiple legacy systems are facing an uphill battle. As an insurer, your life and general insurance policy data can very conceivably be stored across two or three systems, and then there is your general insurance data, etc. Insurers will need to keep tabs on where all that data is stored, while being vigilant that the data is only utilised when the customer has given consent. For example, data that a life insurance customer has given consent to use cannot be used to market householders’ insurance.
Another multiple legacy headache is that insurers must enable their customers to ‘be forgotten’ across all policies, so their data cannot be used. If a customer requests to be forgotten, insurers must be able to erase their identifiable data. When different policies exist in different systems, for example, householders in one and life in another, the company must make these changes manually, which requires time and resources (or find some way to link them all together, so when a customer instructs the company to ‘forget me’, this command is transparently linked and put into effect across all systems).
Insurers must be able to figure out what’s considered personal data and what’s not, and if it’s personal, get consent to use it. The GDPR doesn’t list the criteria for personal data, so it’s up to the insurers to classify what data can ultimately identify a customer, such as an IP address, or an email address, and what data can’t, such as date of birth, or eye colour. Still, insurers may only store and process personalised data when necessary. For example, if a customer takes out household insurance, the insurer doesn’t need to know how many cars they drive or how many vacation days they take.
Avoiding ‘Regulatory Clash’
Insurers are being compelled to reduce the personal data they retain, to protect the privacy of customers. Meanwhile, regulators are requiring providers to retain more data, to identify money laundering and fraud. Insurers must find ways to resolve this paradox.
Tracking Third Parties
European insurers who offer customers access to their data via self-service capabilities and give third parties access to data must be able to track whenever and wherever personal data has been accessed, no matter the channel.
Quickly Report the Breach
Insurers must inform of breaches of their data within 72 hours. A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data. It includes anything that’s been misused, hacked, sold onward, or any unauthorised use.
These are all significant challenges that could potentially cost insurers tens of millions of pounds to overcome as they attempt to comply with the GDPR. But failing to do so could result in fines that could cripple or even bankrupt European insurance providers. And yet all is not lost. My next blog post will explain how some of these challenges may actually be opportunities…
In the meantime, please check out my white paper: Preparing for GDPR: Challenges and Opportunities for Insurers.