In Depth: The GDPR time bomb

The General Data Protection Regulation will see businesses having to be transparent in the way they use customer data and declare all data breaches and cyber attacks. The regulation will mean that time is of the essence: businesses will have just 72 hours to notify the regulator of a breach – failure to do so will result in a fine of up to €20m (£17m) or 4% of global turnover, whichever is higher.

The Information Commissioner’s Office will be in charge of enforcing the terms of the regulation and the watchdog has already begun talks with the government and industry figures on the topic of compliance. But there are still areas to iron out, said James Bridge, head of conduct at the Association of British Insurers. 

“We’ve had a member-comprised data protection working group. The awareness and engagement among insurers with GDPR has been there from the beginning,” he said.

“There are still a lot of areas of this regulation that have yet to be decided on in terms of implementation. We are very much engaged with the Department of Culture, Media and Sport and the ICO around what the finished regulation will look like.”

Any terms enforced by the regulation will impact all of the personal customer data that has been gleaned by insurers to assist in their underwriting and pricing procedures. This ultimately calls for risk mitigation and for firms to be aware of where they may fall short come next year. Some insurers have only just completed their risk and readiness assessments, while gap assessments would suggest that some firms still have more to do.

“As an industry, what we do has a huge significance to GDPR in terms of pricing, profiling, claims fraud and a lot of data that we hold,” said Craig Skinner, head of data analytics at PWC.

“The industry is caught up by the huge amount of legacy that it has in ageing systems and ageing data, so that’s a pretty big challenge and one that is going to be difficult to become compliant with. We’re helping our clients on a risk-based approach. Some have carried out risk assessments while others have gotten to full implementation mode where they have it embedded into their workstreams. Gap assessments would suggest that there is more compliance work that insurers should do to meet standards.”

Right to be forgotten

The ICO has been seeking input from insurers and those working in the financial industry to understand the concerns surrounding various clauses. One of the main concerns of insurers is the issue of consent and clarity on how customer data is being used. The regulation allows for customers to request information on how their data is being used and, in certain circumstances, request the erasure of that data.

“If insurers have to rely on consent then this leaves them in a difficult position,” said Mark Williamson, partner at Clyde & Co.

“If at any point that customer consent is withdrawn, then it just doesn’t work for the insurance industry, particularly in the claims process as that’s when you will usually have to delve into the client data.”

But current software systems are not built for the purpose of trawling through vast amounts of data and erasing details wherever necessary. In theory, a customer can request to be erased from their insurer’s system but in practice this is a lot more difficult, said Skinner.

“If you’re looking at consent, it would be quite difficult to flag down that specific data or the record that a customer has declined consent,” he said. “It would be quite difficult to erase someone from the system or extract the data. Our systems have never been designed for any of that.”

The thought that a customer can, all of a sudden, decide to be erased from the system will have alarm bells ringing in the minds of insurers. If a customer were to submit a fraudulent claim and then has their request to be forgotten granted, what is to stop them from submitting yet another false claim?

This is something that the ABI has been lobbying the government on, said Bridge.

“The right to be forgotten does pose a fraud risk but we are pushing the government to pass legislation so insurers can use fraud indicator data and criminal conviction data so they can mitigate that,” he said.

“Insurers may have ground where they are allowed to hold certain data under the terms of particular contracts. We want the government to allow insurers to be able to use data for anti-fraud, underwriting and price purposes.”

The end of Big Data?

Customer data is the lifeblood of all insurers, without it they will struggle to gauge risk, price and underwrite products, track fraud and tailor policies to the individual.

“Personal data in the insurance space is crucial,” said Mark Thompson, director of risk consulting at KPMG. “If you took all the personal data out of an insurer, you wouldn’t have anything, you couldn’t do any underwriting. It affects commercial and personal lines in the exact same way because the whole industry is so rich with personal data.”

“The whole value chain is horrendously complicated. We’re moving to a new generation where data is being collected on us and policies are being underwritten in real time with the assistance of telematics.”

As the industry makes headway in using Big Data to drive its insurtech propositions, there is a fear that losing or not having access to valuable bits of data will have a damaging impact on innovation. But it isn’t the case that insurers will miss out on this data or be prohibited from asking for it; as long as they are transparent, the data is fair game.

“There’s a lot of debate surrounding the effect that GDPR will have on innovation, but a lot of the regulation is common sense,” said Skinner. “We should, of course, be careful about how data is utilised.

“We need to be more transparent about how we’re using data and have guidelines for our staff who are handling it. A lot of the ways in which insurers go about profiling needs to be looked at. This will take time but it won’t stop insurers from innovating, thinking about their digital strategy and using technology to get closer to the customer.”  

Cyber

If the insurance industry is going to benefit in any way from the incoming GDPR regulation it is probably due to the mandatory breach notification that it will bring. With businesses forced to declare breaches, or risk losing out in a big way financially, business owners’ instincts will no doubt be to protect against possible events. The awareness of cyber threats and the uptake in cyber policies are already gaining momentum and this is likely to accelerate even before GDPR gets into full swing.

“Cyber will be at the forefront of the minds of brokers and business in the following year as this regulation approaches,” said Michael Tewfik, cyber underwriter at Beazley.

“The mandatory notification means that all businesses will be affected and will be paying attention to cyber policies and the risks that they face. This is relevant, given the fines that can be placed on a company for not notifying the regulator. A cyber policy will cover the cost of notifying clients.”

With many areas of how the law will be implemented still uncertain, an extra area of uncertainty will come from the General Election and the way the incoming government wishes to tackle it, said Bridge.

“A lot of the final certainty will come at the end of the year due the snap election affecting some of the legislative timings,” he added.

Despite the UK deciding to leave the European Union, there are no plans to repeal or amend GDPR in its current form.

Bridge said: “GDPR is still being implemented in the UK despite Brexit.

“But there is the question of how we deal with international data transfers once we leave the EU. The ABI’s preference is that we implement GDPR and that the option for preparation assessment between the EU and UK is there.”