Legal Update: How the GDPR is going to change the lives of insurers

The General Data Protection Regulation, coming into force in the UK on 25 May 2018, will replace the current Data Protection Act. This doesn’t mean you only need to comply until Brexit; it will apply to any organisation – whether established inside or outside the EU – which offers services to European Union citizens.

You may be tempted to skip the rest of this article at the very mention of data protection, but this new legislation is not to be ignored. Non-compliance can lead to fines up to €20m (£17.7m) or 4% of annual worldwide turnover. And the GDPR could have far-reaching implications for the insurance market.

Main GDPR provisions

The changes significantly expand the obligations of organisations that process personal data. Under the GDPR, the balance of power shifts from the data controller to the data subject, with the data controller being required to prove the legitimate interest and/or reasoning for retaining the personal data.

Organisations are used to the standard ‘click here to read our privacy policy’ and supplying pages of unintelligible miniature text. This will no longer suffice.

Organisations will need to clearly explain why they are collecting personal data; how it will be used; and they will need to get informed consent to hold it. They will need to keep accurate records of the data they hold and individuals will have the right to withdraw consent and have their data erased at any time, which means data must be properly stored and easily accessible. If this is not complied with, individuals can claim compensation from organisations for financial loss or distress suffered.

Organisations will need to report security breaches to any affected citizens without undue delay and to their regulator within 72 hours, meaning the days of covering up cyber attacks for commercial reasons will be a thing of the past.

Certain organisations will be obligated to appoint a data protection officer, who is expected to be at an executive level and will assume responsibility for GDPR obligations.

In order to be compliant with the GDPR by the time it comes into force, organisations will need to consider implementing significant technical changes, including reviewing data protection policies, training staff on how data should be handled, implementing clear reporting procedures, and carrying out risk assessments.

Implications for the insurance market

The additional obligations, sanctions and requirements in responding to any breach are extensive and likely to increase the financial impact of non-compliance, leading to an upwards shift in loss estimates for data protection breaches.

The data subject’s right to be forgotten could well have a material impact on the insurance industry’s ability to retain personal data for as long as possible to maximise use.

While the GDPR poses challenges, it also presents opportunity to insurance companies. Organisations will need to re-examine the adequacy of insurance arrangements and this may lead to a greater interest in cyber insurance. This opens the door for insurance companies to enter or expand into a growing market. The requirement for clearer policies will also allow insurers to better assess risk and to provide insurance to lower risk organisations.

It is also a great opportunity for businesses to reformulate their attitude to data protection and implement long-term cultural changes to embed the principles of data protection. There are a number of practical steps that can and should be taken to prepare and if you are unsure about them, do get help in formulating an action plan.