Legal Update: How the GDPR is going to change the lives of insurers

EU data

  • The General Data Protection Regulation means organisations will have three days to notify the regulator of any significant data breach, which will be subject to higher fines
  • Policyholders will be able to have their personal data deleted
  • Clearer data rules will allow insurers to better assess risks

Insurers will face stricter data rules but these may help them grow the cyber market, write Mark Estafanous and Kate Payne, solicitor and partner at Elborne Mitchell.

The General Data Protection Regulation, coming into force in the UK on 25 May 2018, will replace the current Data Protection Act. This doesn’t mean you only need to comply until Brexit; it will apply to any organisation – whether established inside or outside the EU – which offers services to European Union citizens.

You may be tempted to skip the rest of this article at the very mention of data protection, but this new legislation is not to be ignored. Non-compliance can lead to fines up to €20m (£17.7m) or 4% of annual worldwide turnover. And the GDPR could have far-reaching implications for the insurance market.

Main GDPR provisions

The changes significantly expand the obligations of organisations that process personal data. Under the GDPR, the balance of power shifts from the data controller to the data subject, with the data controller being required to prove the legitimate interest and/or reasoning for retaining the personal data.

Organisations are used to the standard ‘click here to read our privacy policy’ and supplying pages of unintelligible miniature text. This will no longer suffice.

Organisations will need to clearly explain why they are collecting personal data; how it will be used; and they will need to get informed consent to hold it. They will need to keep accurate records of the data they hold and individuals will have the right to withdraw consent and have their data erased at any time, which means data must be properly stored and easily accessible. If this is not complied with, individuals can claim compensation from organisations for financial loss or distress suffered.

Organisations will need to report security breaches to any affected citizens without undue delay and to their regulator within 72 hours, meaning the days of covering up cyber attacks for commercial reasons will be a thing of the past.

Certain organisations will be obligated to appoint a data protection officer, who is expected to be at an executive level and will assume responsibility for GDPR obligations.

In order to be compliant with the GDPR by the time it comes into force, organisations will need to consider implementing significant technical changes, including reviewing data protection policies, training staff on how data should be handled, implementing clear reporting procedures, and carrying out risk assessments.

Implications for the insurance market

The additional obligations, sanctions and requirements in responding to any breach are extensive and likely to increase the financial impact of non-compliance, leading to an upwards shift in loss estimates for data protection breaches.

The data subject’s right to be forgotten could well have a material impact on the insurance industry’s ability to retain personal data for as long as possible to maximise use.

While the GDPR poses challenges, it also presents opportunity to insurance companies. Organisations will need to re-examine the adequacy of insurance arrangements and this may lead to a greater interest in cyber insurance. This opens the door for insurance companies to enter or expand into a growing market. The requirement for clearer policies will also allow insurers to better assess risk and to provide insurance to lower risk organisations.

It is also a great opportunity for businesses to reformulate their attitude to data protection and implement long-term cultural changes to embed the principles of data protection. There are a number of practical steps that can and should be taken to prepare and if you are unsure about them, do get help in formulating an action plan.

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@postonline.co.uk or view our subscription options here: http://subscriptions.postonline.co.uk/subscribe

You are currently unable to copy this content. Please contact info@postonline.co.uk to find out more.

Regulator delays general insurance stress test

The Prudential Regulation Authority has postponed the dynamic general insurance stress test launch as switching from Solvency II to Solvency UK reporting requirements mean providers have enough on their plate in 2025.

Insurance Post’s Christmas Special Podcast

Post content director Jonathan Swift, news editor Scott McGee and Emma Ann Hughes, editor, ditch the usual format of our publication’s award-winning podcast to deliver a holly, jolly Christmas Special.

Most read articles loading...

You need to sign in to use this feature. If you don’t have an Insurance Post account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here