Data, insurance and GDPR: how firms can meet the challenges

The insurance market is changing rapidly, driven by shifting customer expectations and technological progress. The Internet of Things and connected devices are transforming the industry, for instance with the increasing usage of telematics for motor insurance, wearable technologies and m-health apps for health insurance, and smart appliances and devices for home insurance. At the same time, customers expect to be always connected with their insurers, with new apps and tools that facilitate a smooth interaction.

Within this “connected” scenario, insurance companies are now able to process a large number of data, which can be used to control risks and gather insights for new products, with substantial benefits for the whole insurance value chain.

From a data protection perspective, as the volume and value of data captured in the connected environment grows, so will the challenges facing insurance companies. Adequate data management is becoming of paramount importance, not only as a positive market differentiator, but also to avoid substantial risks. These risks include sanctions introduced with the European General Data Protection Regulation (GDPR), which comes into force on 25 May 2018 and under which firms can be fined up to 4% of their global annual turnover.

The GDPR will bring with it a new approach to accountability, with companies having to demonstrate compliance and with stringent obligations to carry out at an initial stage a data protection impact assessment for each risky processing/insurance product and to implement data protection by design and by default.

This implies that insurance companies will have to take into consideration data privacy throughout the data processing lifecycle and integrate data governance with appropriate safeguards and processes including, for instance, data minimization.

Furthermore, under GDPR there are strict obligations to report security breaches to national authorities (and in certain circumstances individuals), within 72 hours. Data risk mitigation strategies will become very relevant for many industry sectors, with risks to be addressed also through cyber-insurance policies.

The GDPR also introduces new rights, including the right of data portability, which should cover also the data generated by the data subject through connected devices. In particular, data subjects (including customers) will have a right to receive the personal data concerning them in a structured, commonly used and machine readable format and to transmit such data to another controller without hindrance or, where technically feasible, having the same data transmitted directly from one controller to another.

Portability is creating some challenges for many “data rich companies”, including within the insurance sector. There are questions that will still need to be addressed in detail, including which format and granularity standards should be applied. Most companies have no clear ideas on this point: the GDPR provides for a one-month safety net to satisfy such requests, which may allow for sufficient time for ad-hoc testing.

In the meantime there is a wide debate on this point, sometimes overemphasizing the risks to be incurred or the expectations from companies that may be interested in gathering data from competitors. Historical data on the exercise of access rights by the data subjects will be a good test for assessing the potential impact of data portability, particularly during the initial GDPR implementation stage.

In this respect it is worth noting, considering the evolution of the recent draft of recommendations from the working party, that the primary purpose of GDPR is not to enhance competition, but to protect individuals’ rights. Hence the portability right is to be construed as a means of transferring raw data, and not information. All insurance companies will in any event have to devise a specific strategy well before May 2018.