The European Union’s General Data Protection Regulation (GDPR) is considered the most important legislation regarding personal data protection, globally. Coming in full force on May 25, 2018 after a two-year transition period, GDPR introduces several provisions that are distinctly more stringent than the preceding Directive 95/46/EC. While meant to be industry-agnostic, GDPR has profound impact on the insurance industry.
GDPR applies to companies of almost every size and sector that process the personal data of EU residents. A closer look at the regulation’s 173 recitals and 99 articles, however, suggests that it impacts certain sectors a touch more than the rest, including insurance. Whether it’s in the way personal data is collected or used, shared or stored, insurers must transform their processes and systems in order to comply with the regulation and maintain customer trust. This whitepaper touches upon some of the more far-reaching challenges that GDPR poses for insurers, as well as underscores its opportunities.
Nature of personal data
Insurers manage risk. In order to keep that risk in check, they do a great deal due diligence on their customers by way of underwriting. Regardless of the type of insurance, an underwriter will invariably collect and review personal data of the applicants, ranging from demographics to more sensitive data including health history, genetic history and physiological traits. The latter are tagged as “special categories of data” under GDPR, and any misprocessing there will attract the higher of the regulation’s two fine brackets: 4% of global annual turnover or EUR 20 million, other conditions notwithstanding (Art. 9, 83). Collection of such data is only allowed based on individuals’ explicit consent (Art. 9) unless it is necessary for reasons such as protecting the vital interests of individuals or for the public interest.
Type of processing
• Pricing and Underwriting
The more personal data companies collect, the easier it becomes to accurately price risk.
However, processing sensitive personal data on a large scale will obligate companies to carry out formal data protection impact assessments (DPIA) (Art. 35), requiring them to carefully record the necessity and proportionality of processing, assess risks posed to the rights and freedoms of data subjects, document envisaged measures to address these risks, and much more.
Collecting large volumes of data goes beyond underwriting, as increasing amounts of personal data are needed for other functions including claims, fraud prevention and marketing.
• Direct Marketing
Insurance companies extensively use direct marketing to find new customers. They not only collect data directly from individuals, but also purchase data from third party providers. The marketing function then examines this data in many ways to push their products and services to targeted sets of individuals via multiple channels including telemarketing, digital marketing, brochures, and campaigns. Under the GDPR, such marketing requires positive opt-in by the individuals to state their consent and preferences on whether they want to be contacted and how. Such consent needs to be freely given, such that the individuals have a genuine choice and can easily withdraw consent (Art. 7). GDPR also offers individuals the right to object (Art. 21) to personal data processing where it relates to direct marketing.
• Fraud Prevention
Similarly, the processing of personal data relating to criminal convictions and offences is permitted when such processing is explicitly authorised by EU or Member State law (Art. 10), providing for adequate safeguards. Further, such processing also entails formal DPIAs (Art. 35).
• Claims Processing
Claims handling is a data-rich function. Insurers’ ability to administer and pay claims depends upon the availability of the right data, which is often sensitive. Some of the aforementioned factors including collecting criminal convictions data only based on existing EU/MS laws also impact claims. Further, seemingly the only grounds for processing special categories of data under the GDPR is with explicit consent (Art. 9), which can be detrimental if such consent is withdrawn.
With data minimization as a core principle of the GDPR (Art. 5), it is absolutely vital for insurers to assess how much data they can lawfully collect, and likewise how much data is too much. It is worth a mention that there can be multiple lawful reasons for collecting data, such as in performance of a contract, legal obligations, and legitimate interests.
Automated Decision Making
Once insurers overcome the collection conundrum, there awaits another key challenge. For insurers, business is about making decisions; decisions on whether to issue an insurance policy, whether to underwrite a risk, whether to charge low or high premium. When decision making is fully automated (such as profiling) and has legal or other significant effects on data subjects, Article 22 applies. Article 22 grants data subjects, the right to obtain human intervention, unless. such a decision is necessary for the performance of a contract, based on explicit consent or authorization by EU or Member State law. If this profiling includes special categories of data, it will also necessitate DPIAs (Art. 35).
Even if the decision making is necessary, insurers will have to implement adequate measures to safeguard the data subject’s rights, freedoms and legitimate interests. In both these cases, it is noteworthy that privacy notices should specify the existence of automated decision making or profiling, the logic involved, and the likely consequences for data subjects (Art. 13). GDPR also requires notices to be concise, clear and in plain language.
“Profiling in context of GDPR is defined under Article 4 as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements”.
There is deliberation here over what’s necessary for the performance of a contract and what’s not. Further, contract between which two parties – data subject and controller, controller and processor, or with third parties. These questions will take some time to unequivocally answer.
Nonetheless, automated decision making is an integral component of insurance activities such as pricing and underwriting, profiling, market research, targeted advertising, and fraud analytics. Each function requires automated processing of personal data to generate value – and it will likely continue to add fuel to the fire on whether and how much data is necessary. Even the supervising authorities will need to carefully consider this fine delineation, as they will be the ones deciding the amount of fines and penalties. After all, any breach of rights of data subject will attract penalties from the higher tier, so the stakes are high.
Shift in the Balance of Power
By way of introducing new rights to data subjects, such as the right to data portability and the enhanced right to be forgotten, the regulation has evidently shifted the onus of demonstrating compliance onto companies.
• Right to Data Portability
As per Article 20, data subjects now have the right to receive their personal data held by a controller, or have it transmitted to another controller in a structured, commonly used and machine-readable format. Controllers will have to develop and maintain interoperable formats that enable such portability. This may seem an ordeal for most insurers, as their technology infrastructure is usually comprised of disparate systems accrued over the years. The existence of legacy systems can further increase this complexity, as can a distributed legal entity structure. The adoption of disruptive technologies such as big data, cloud, and AI by the insurers has somewhat triggered the modernization and simplification of IT. With the requirement of data portability lurking around the corner, insurers will have to expedite such programs and ensure they are ready to pull out the data set for a specific data subject within a challenging one month timeline. The added pressure of providing such data free of charge only accentuates the need to implement interoperable systems and processes that minimize the administrative overheads.
• Right to Erasure
Likewise, under Article 17, data subjects are entitled to a right to have their personal data erased (or forgotten) by the controller if there’s no longer a legal requirement to retain it or if other grounds apply. This will likely have some impact on insurers that prefer retaining data for as long as possible to maximize its potential benefits in areas such as pricing analytics. The balance of power has now shifted to data subjects, who may have frequent, sometimes unrealistic expectations for having their data erased or forgotten.
These requests may sound seemingly simple, but the readiness required by controllers is a challenge in its own sense. Insurers will have to revisit their data retention and disposal policies and mechanisms. Even documenting a clear legal justification for retaining data will require a lot of introspection and brainstorming.
• Data Retention
Data retention, in itself, is an area that will have far-reaching impact on insurers. The storage limitation principle under GDPR (Art. 5) means over-retention certainly won’t be a prudent business idea. The principle mandates that personal data be retained only as long as is necessary for the purpose it was collected for, after which it must be deleted or anonymized. Insurers will have to carefully revisit and baseline their retention schedules, and follow them judiciously.
GDPR does allow storage for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, such as scientific, historical or statistical research purposes. This data is subject to additional technical and organizational safeguards such as pseudonymisation. Regardless of the approach adopted for compliance with these data retention requirements, the cost of compliance will likely be on the higher side as it involves significant system changes.
GDPR is a game changer for companies that process personal data, more so for insurers for the aforementioned reasons. However, there are several opportunities from this tough privacy regulation. Once companies come to grips with the datacentric approach that GDPR puts forth and establish a stronghold for personal data, they can make efficient business decisions. Improved operational efficacy, greater credibility with customers and employees, a reduced threat landscape and enhanced brand value are natural positives that follow.
Another area in which insurers score big is in cyber risk insurance. With the scale of fines under GDPR, the costs resulting from a cyber-attack can no longer be seen as an acceptable cost of running a business. More and more companies will look to risk-insure their businesses against cyber-attacks. In the pre-GDPR EU, breaches often went under the radar as there were no regulatory requirements for companies to report breaches. Come May 25, 2018, this will change due to requirements for mandatory breach notifications to regulators and in some cases data subjects (Art. 33, 34). This will likely result in a surge in demand for cyber insurance products and services to avoid, mitigate or transfer the risk of cyberperpetrated breaches.
With only a small number of insurers offering cyber insurance today, there is a tremendous opportunity for others to establish a footing in this growing market and develop all-encompassing cyber insurance products. The intent should be to provide end-to-end cyber risk management solutions covering cyber threat intelligence, expert consultation, legal and forensics assistance, as well as adequate cyber indemnity from first-party costs and thirdparty claims arising from a data breach. It will be a win-win situation if insurers, by way of their holistic cyber risk management offerings, are able to help their clients alleviate their cyber risk profiles.
Now, it will be interesting to know whether insurers will match their cyber insurance cover to the colossal EUR 20 million (or 4% of global annual turnover, whichever is higher) fines entailed by GDPR. Equally fascinating will be the final position regulatory authorities take on whether cyber insurance can legally indemnify the full penalty under this European data privacy regulation.
Various associations including LMA, ABI, IUA, LIIBA, BIBA and BIPAR have submitted a memorandum to the Department for Digital, Culture, Media & Sport (DCMS) on behalf of the insurance industry to request for certain derogations under GDPR
There is a high degree of uncertainty and apprehension as far as compliance with GDPR is concerned. Many companies may have started formulating their compliance strategies and implementation roadmaps, but some of them are doing so to avoid penalties and tick a box. The underlying objective of the regulation is to encourage good data practices and retain customer trust in businesses. Instead of treating it as a mere compliance task, companies should welcome GDPR as a great opportunity for them to win customer trust and gain competitive advantages.
Though insurers may be acutely impacted by the regulation, their path to compliance is similar to any other impacted sector: revisiting systems and processes to assess readiness for this regulation and investing in filling gaps. Some changes may be big, such as data retention and privacy by design, while some may be more straightforward, such as providing privacy notices. In all cases, effective change management is the key.
"Change management is the key"
GDPR Articles referenced in this whitepaper
1 Final text of GDPR | http://data.consilium.europa. eu/doc/document/ST-5419-2016-INIT/en/pdf | 6 Apr 2016
2 CO’s overview of Article 29 WP’s guidance on GDPR | https://ico.org.uk/for-organisations/ data-protection-reform/overview-of-thegdpr/?template=pdf&patch=26 | Jan 2017
3 Article 29 Working Party’s guidelines for data portability | http://ec.europa.eu/newsroom/just/ item-detail.cfm?item_id=50083 | 22 Nov 2016
About the Authors
Mohit is a Vice President and Global Head of Insurance for the Consulting practice of EXL Service. He manages global delivery of enterprise transformation, finance & accounting and GRC services to Insurance clients, focusing on solutions that are not only cost-effective and deliver immediate value, but also provide flexibility to address dynamic business and regulatory environment.
Prakhar is a Senior Manager with the Consulting practice of EXL Service UK Ltd. With over 12 years of experience in the field of IS/IT risk advisory, data protection and regulatory compliance, Prakhar has led several projects for top-tier clients globally across diverse industry sectors. In his current assignment, Prakhar is assisting a UK-based leading General Insurer in managing multiple work streams on their GDPR implementation program and providing subject matter expertise. He is a Certified EU-GDPR Practitioner, Certified Information Privacy Technologist (CIPT), holds CISM & CISA licenses from ISACA and is a Prince2 practitioner.
Shweta is a Manager with the Consulting practice of EXL Service UK Ltd. With over 10 years of experience in helping companies enhance their technology risk and compliance profiles, Shweta has carried out multiple projects across North America, Europe, Asia and Africa, focusing on BFSI and telecom sectors. She is a certified ISMS Auditor, has cleared ISACA’s CISM, CRISC and CISA exams and is currently pursuing IAPP’s CIPT credential.