The fact that demand for insurance policies covering potential data breaches has vastly accelerated in the last year means insurers stand to benefit from GDPR on a direct commercial level – but they need to make sure there isn’t a sting in the GDPR tail.

Profiting from uncertainty?

With GDPR imposing much greater fines for non-compliant data breaches (up to 4% of annual global turnover) and more stringent stipulations for responses to said breaches (a new requirement to inform the relevant authorities within 72 hours of discovery of breach) and with much media scaremongering about the possible impact of GDPR, it’s no surprise that the run-up to GDPR has seen an uptake in policies indemnifying costs and expenses incurred in the wake of data breaches.

if there is to be a modest “cyber-windfall” for the insurance sector it also, as a sector notably reliant on the daily processing of massive volumes and varieties of personal data, needs to make sure it is ahead of the curve in compliance terms.

“GDPRcovers all sectors and all geographies, but with its emphasis on individual rights, there is (arguably) a particular sensitivity when it comes to the financial and insurance sectors, both of which are sectors "in the business of trust".”

Driving change, driving disruption

Insurance is a notably ‘conservative’ sector which has been slow – and often unwilling – to change. Some commentators have actually gone as far as to say that the sector has seen more change in the last 10 years than in the last 200. This sector has until now been led by internal legacy systems and platforms and is famously one of the largest remaining users of mainframe computers. Digital transformation is needed – the catch is that when such transformation takes place the end state is not always known in advance. From a data security perspective, security and ‘flux’ are not happy bedfellows.

But as Gartner’s latest CIO Report makes clear, insurers want to decrease their IT costs, which means getting rid of data centres, which means going to cloud. Not everyone can even do this; some still reliant on mainframes see it as cost-prohibitive and cloud-prohibitive. Others have different concerns and see cloud compliance as “murky waters”.

Yet insurers are under increasing pressure to drive innovation, to “disrupt or be disrupted”. The FS sector has been rocked by FinTech startups that have stolen a march on them; the insurance sector is now also facing such challenges.

Combined, these considerations mean that the insurance sector has huge amounts to gain by using the advent of GDPR to rethink how it makes data-centricity support customer-centricity, and how it can use data to drive disruption and innovation.

Profiling and GDPR

The insurance industry is one of the biggest crunchers of big data and analytics numbers. Given the central importance to the underwriting process of the systemic profiling of individuals, one of the most significant ways that GDPR is set to impact on the insurance sector is in profiling.

GDPR is at heart about safeguarding the rights of individuals. It enables their right to audit, edit, transfer, restrict and delete any data held on them. Insurers should be particularly aware of the new individuals’ rights concerning the use of profiling, particularly automated profiling. Article 22 of GDPR introduces the right not to be subject to a decision based exclusively on profiling. Individuals may object to such processing if it produces “a legal effect” on them, which is precisely what decisions made by insurers can be said to do.

The above would be enough to derail or disrupt the industry entirely – but Article 22 includes some exemptions which includes when the decision (made by profiling) is necessary for a contract. Profiling for underwriting will be considered necessary for a contract, so while there’s no reason to expect that core processes will have to change, insurers do have to be aware of the new conditions which apply and may be invoked on an individual basis.

Another interesting new right under GDPR for the individual is the right to be forgotten – in short, individuals have the right to request that their personal private information be permanently deleted by a company. One application that may apply here for the insurance industry is in the fields of fraud detection or ‘bad risk customer’ identification. GDPR could impact the ability of insurers and brokers to maintain information on high-risk customers including those deemed more likely to submit fraudulent claims. Once again, it is expected that the industry will here claim fair legal usage in retaining certain data.

This is probably a good time to touch on the issue of consent, about which there has been much written in relation to GDPR.

“Under GDPR consent has to be clearly given and actively informed. It must be in plain and simple language, cannot be ‘hidden’ within a long list of Terms and Conditions, or inferred by the use of pre-ticked boxes.”

However it is one of the misconceptions of GDPR to see consent as all-important. More relevant and helpful for insurers is to focus on the concept of ‘lawful purpose’: insurers don’t have to have explicit consent in all cases, as long as they can prove they have a lawful reason for processing the personal data.

Pseudonymised data

Another new facet of GDPR which is expected to be welcomed by the insurance industry is around ‘pseudonymisation’. GDPR’s data protection principles do not apply to anonymous information, which it defines as “information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not identifiable”. This is in line with previous data protection legislation. Where GDPR goes further is in now not applying to pseudonymised information, whereby personal information is processed in such a way that it is not personally identifiable without the additional use of a ‘key’ or ‘code’. The insurance sector (among others) is expected to welcome the formal recognition of pseudonymisation as a valid security measure.

A global reach

Insurers will need to identify and validate the international flows of customer personal data, whether that is internally (ie within offices which may be globally dispersed) or with third-party suppliers, disparately located. Under GDPR, security requirements are the responsibility of both insurers and any data processor third-parties they use. As GDPR marks the first time that data processors have such direct responsibility, insurers may well need to review existing data agreements. Such agreements will need to be explicit about the security arrangements for data, and about the requirements for data processors (for example, suppliers) to assist data controllers (for example, insurers) in the event of a breach.

Data, data, everywhere

The historic attitude of the insurance sector might be summed up as “collect and be dammed” – it has been a sector awash with data lakes and silos, which has often been kept with a view that it might be useful sometime. Under GDPR, having data “lying around” means it becomes more of a liability than an asset. Unnecessary data is a drain on costs and resources – both in terms of storage and communication - so the opportunity GDPR affords for insurers to get their house clean is a valuable one. When you’re identifying the data that has real value to the business, it is often the case that “less is more”.

The fact that harmonisation and standardisation under GDPR (across sectors and geographies) mean organisations will now be following one set of rules should help encourage insurers to undertake this cleaning and re-organising.

The data future for insurers

One of the current innovations in the insurance sector is in offering “insurance on demand” services whereby customers can turn on or off their insurance on a specific basis, which could be on a daily or even hourly basis - for example car insurance when borrowing a friend’s car for the afternoon, or travel insurance when taking a flight. Other innovations include customers giving insurance apps the right to ‘monitor’ driving and/or location to access ‘safe driver’ discounts. Mobility, the Internet of Things and telematics come into their own for such services, but location data from telematics boxes or wearable devices is all subject to GDPR. Insurers need to be clear about how this data is collected and how the consent is gathered.

Grasping the GDPR nettle

The advent of GDPR is a good time for insurance companies to start really seeing information as an asset and building-in principles and processes – ‘privacy by design’ – that support and ‘future-proof’ this. The insurance industry is one of the biggest for sharing information globally. Whenever the focus is on BI or analytics where companies are bringing data from multiple entities, it’s good to build in information rules around owners, stewards and processors – both in order to maintain compliance (and avoid fines) and to understand the customer better.

(One of the widespread misconceptions about GDPR is the idea that from now on all data breaches will lead to an automatic fine. This is not the case, and the focus should be on the individual company’s preparedness, culture (ie how much a “duty of care” for data privacy is ingrained) and attitude to compliance. The opportunities GDPR affords for deeper customer engagement are ones insurers should seek to grasp.)

DXC has supported the insurance industry through many waves of regulatory change with a successful, proven approach that focuses on security, analytics and the customer experience. GDPR is, at its heart, about deserving the trust that customers place in businesses. This has particular resonance for the Insurance sector, for whom trust is a large part of business. GDPR marks an unprecedented opportunity for insurance companies to reinforce this trust in the eyes of their customers.