Data Protection Regulation: Insurers risk heavy fines
The new European Regulatory Framework for Data Protection is just around the corner and if insurers fail to comply they could be liable to penalties of up to 100 million euro or up to 5% of global turnover. What does the Data Protection Regulation entail for insurers?
The scale of data sharing and collecting is continuously increasing and the use of Digital technologies and Big Data applications becomes more important. However, over the years the number of data breach incidents have also increased. This phenomenon could jeopardize the right of the citizens over their Personal Data. Following these trends, the need for a new European Regulatory Framework that is future-proof and fits our digital age has increased. Especially since the centerpiece of existing EU legislation on personal data protection, the European Data Protection Directive (Directive 95/46/EC), dates from 1995(!). The completion of the new European General Data Protection Regulation is a policy priority for 2016 and will supersede the 1995 Data Protection Directive.
The European General Data Protection Regulation
Although the proposed General Data Protection Regulation is not final yet, in principle it will consist of a more comprehensive and coherent policy on the fundamental right to personal data protection. It aims at harmonizing the local legislations and granting individuals more rights and control over their personal data. A main advantage for companies is that organizations will only have one regulatory authority, the Data Protection Authority (DPA), which supervises their activities across all EU member states.
However, the new Data Protection Regulation could significantly change these insurers’ activities of data collecting and processing. Here are a number of legal changes that will impact every insurance company;
- Documentation of data processing operations
- Impact assessments
- Appointment of data protection officer
- Data subject consent
- Data transfers
- Mandatory security breach reporting
- Fines of up to EUR 100 million or of up to 5 percent of annual worldwide turnover (the numbers are still under debate)
Responsibility and accountability
As regulation will change, the insurance industry will become more accountable for safeguarding personal data. The new regulation requires (increased) mandatory reporting to supervisory authorities. Insurers will need to document their data processing operations and this documentation must be made available to the DPA on request. In practice this will entail (another) work stream of monitoring, reviewing and assessing data processing procedures. Safeguards need to be included in all data processing activities in order to minimize operational and reputational risks. Furthermore, increased responsibility and accountability and the changes on operational processes will make data impact assessments a must for every insurer.
Also, organizations with over 250 employees will need to appoint a data protection officer (DPO) that is exclusively responsible for data protection.
More than data privacy rules reinforcement, the forthcoming regulation also aims at changing the way Personal Data are dealt. For example, the European Commission wants to implement a Data Privacy system or Internal Control system centralized around the Data Privacy Officer. The idea is to urge companies to embed Data Privacy into their operational processes by implementing two notions: Data Protection by Default and Data protection by Design.
Consent and data transfers
Customers will have the right to access their personal data, have it rectified or erased, object to its processing and not be subject to profiling. Also, they will have to give their specific consent for data processing activities of insurers. This implies that insurers need to prove that their customers gave explicit consent for data collection. In other words, insurers’ data collecting activities will have to rely on data subject consent to process personal data.
When transferring personal data to third parties, the legitimacy must be ensured. Moreover, the transfer outside the European Economic Area must be approved by the Data Privacy Authority first. In the context of globalization, this requirement has a substantial impact on operational processes. Nevertheless, for intra-group (international) data transfers, a Binding Corporate Rules agreement can be implemented in order to reduce the number of formalities with the DPA. This agreement ensures that all entities within a group comply with the regulation.
Penalties and fines
Under EU law insurers must protect personal data from misuse. The latest proposal includes fines up to EUR 100 million or up to 5 percent of annual Group turnover for data privacy law breaches (versus €300.000 currently in France and €450.000 in the Netherlands). Furthermore, when security breaches occur, companies will have to notify serious data breaches without undue delay and where feasible within 24 hours.
Why does the new regulation matter for the insurance industry?
Collecting and processing personal information is integral to the proper functioning of an insurance business. Automated processes in accessing and processing personal data enables insurers to assess risks, process and pay claims and to tailor information and cover to consumers’ individual needs. Some of the data insurers collect and process contain sensitive data. Also the volume of data in combination with the complex product distribution chains make insurers particularly sensitive to the importance of keeping data safe.
The proposed rules could make it difficult for insurers to continue provide the insurance services consumers expect and to fight fraud effectively. The Data Protection Regulation will restrict the ability of insurers to assess risk properly. This will result in a reduction of availability and range of insurance products and increase of cost for customers’ cover.
For example, the proposed regulation will not allow calculating risk that includes analysis of (claim history) data and measuring risks of potential policyholders who wish to transfer. This makes it hard to calculate risk and insurance premium for individual customers and this will eventually result in higher cost for customers’ cover. Moreover, without access to previous claim history, the efforts to protect honest policyholders against the consequences of insurance fraud will be hindered.
Finally, given that customers become more and more demanding and are drawn to new technologies, insurance activities are changing. Yet, the regulation can hold back innovation as well as the release of new products in the insurance industry. For example, the innovative life insurance product ‘Vitality’ of the South African insurer Discovery has the potential to transform the pricing of life insurance. In essence, customers who choose the Vitality program are willing to continually share their health data via wearables. Discovery then translates this private data into premium savings and other perks. However, with the proposed EU regulation, it is doubtful whether European Insurers will be able to drive their activities to this kind of products.
Questions insurers can ask themselves to assess Data Privacy risks:
- Do my current activities rely on data subject consent to process personal data? Or do these activities have a legitimate interest in processing data that is not overridden by the interests of the data subject?
- Are my documents and forms of consent adequate? Are the consents freely given, specific, informed and explicit?
- How can I embed data subject consent in my future and current products, systems, documentations and processes?
- What data transfers are currently undertaken? How will I ensure that the transfer of data to other (non-EEA) countries are safeguarded in a way that is compliant with legislation?
- How can I implement Binding Corporate Rules on facilitating intragroup data transfers?
- Are my colleagues aware of the operational and regulatory changes ahead?
- What will I do to smoothen implementation of the Data Protection Regulation?
Move towards compliance
The General Data Protection Regulation is due to come into play soon. Given that the proposed financial penalties for non-compliance are severe, financial sanctions and reputational risk are the top data protection threats for insurers. However, insurers that start to take steps to address the proposed changes will be in a stronger position. After all, most of these risks can be avoided by adaption on time.
In conclusion, the implementation of the General Data Protection Regulation should be a part of every insurers’ current strategy.
- Protection of personal data, http://ec.europa.eu/justice/data-protection/index_en.htm