GDPR: Legal Update: How the GDPR is going to change the lives of insurers

GDPR

  • The General Data Protection Regulation means organisations will have three days to notify the regulator of any significant data breach, which will be subject to higher fines
  • Policyholders will be able to have their personal data deleted
  • Clearer data rules will allow insurers to better assess risks
  • CPD Knowledge Centre learning outcomes for this article

Insurers will face stricter data rules but these may help them grow the cyber market, write Mark Estafanous and Kate Payne, solicitor and partner at Elborne Mitchell.

The General Data Protection Regulation, replaced the Data Protection Act in the UK on 25 May 2018. It applies to any organisation – whether established inside or outside the EU – which offers services to European Union citizens.

You may be tempted to skip the rest of this article at the very mention of data protection, but this legislation is not to be ignored. Non-compliance can lead to fines up to €20m (£17.7m) or 4% of annual worldwide turnover. And the GDPR could have far-reaching implications for the insurance market.

Main GDPR provisions

The changes significantly expand the obligations of organisations that process personal data. Under the GDPR, the balance of power shifts from the data controller to the data subject, with the data controller being required to prove the legitimate interest and/or reasoning for retaining the personal data.

Organisations are used to the standard 'click here to read our privacy policy' and supplying pages of unintelligible miniature text. This will no longer suffice.

Organisations will need to clearly explain why they are collecting personal data; how it will be used; and they will need to get informed consent to hold it. They will need to keep accurate records of the data they hold and individuals will have the right to withdraw consent and have their data erased at any time, which means data must be properly stored and easily accessible. If this is not complied with, individuals can claim compensation from organisations for financial loss or distress suffered.

Organisations will need to report security breaches to any affected citizens without undue delay and to their regulator within 72 hours, meaning the days of covering up cyber attacks for commercial reasons will be a thing of the past.

Certain organisations will be obligated to appoint a data protection officer, who is expected to be at an executive level and will assume responsibility for GDPR obligations.

In order to be compliant with the GDPR by the time it comes into force, organisations will need to consider implementing significant technical changes, including reviewing data protection policies, training staff on how data should be handled, implementing clear reporting procedures, and carrying out risk assessments.

Implications for the insurance market

The additional obligations, sanctions and requirements in responding to any breach are extensive and likely to increase the financial impact of non-compliance, leading to an upwards shift in loss estimates for data protection breaches.

The data subject’s right to be forgotten could well have a material impact on the insurance industry’s ability to retain personal data for as long as possible to maximise use.

While the GDPR poses challenges, it also presents opportunity to insurance companies. Organisations will need to re-examine the adequacy of insurance arrangements and this may lead to a greater interest in cyber insurance. This opens the door for insurance companies to enter or expand into a growing market. The requirement for clearer policies will also allow insurers to better assess risk and to provide insurance to lower risk organisations.

It is also a great opportunity for businesses to reformulate their attitude to data protection and implement long-term cultural changes to embed the principles of data protection. There are a number of practical steps that can and should be taken to prepare and if you are unsure about them, do get help in formulating an action plan.

Return to Module - GDPR

CII

CPD Knowledge Centre learning outcomes for this article


By the end of this module, users will: 

• Understand GDPR and its implications for the insurance industry
• Gain awareness of the compliance challenges and opportunities

Once you have read all the articles in this module you may start the corresponding assessment. You will receive a certificate if you score 80% or higher.

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@postonline.co.uk or view our subscription options here: http://subscriptions.postonline.co.uk/subscribe

You are currently unable to copy this content. Please contact info@postonline.co.uk to find out more.

Government to consult on leasehold commission ban

In a written statement published yesterday, the Minister of State for Housing, Communities and Local Government has said the government “will go out to consultation very shortly on the detail of the Act’s ban on buildings insurance remuneration”.

Greenwashing risks and the path to real progress

As the 2024 United Nations Climate Change Conference, also known as COP29, begins Damisola Sulaiman explores the unique greenwashing risks the insurance industry faces, how those risks can be mitigated and the challenges faced in proving sustainability claims.

Most read articles loading...

You need to sign in to use this feature. If you don’t have an Insurance Post account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here