Get data protected responsibly, GDPR is closer than you think – the impact of GDPR on small and big insurance businesses

Get data protected responsibly, GDPR is closer than you think – the impact of GDPR on small and big insurance businesses

21-Dec-2017 by Sabine VanderLinden

GDPR raises some complex challenges for insurance companies; we need access to personal data to underwrite well, but we need to treat it in a way that is transparent and that engenders trust with the customer.
[Tweet this]

“When we have all data online it will be great for humanity. It is a prerequisite to solving many problems that humankind faces.” Quote from Robert Cailliau – Belgian Informatics Engineer and Computer Scientist who, together with Tim Berners-Lee, developed the World Wide Web.

Let’s assume for one moment that the world was perfect. Completely protected from cybercrime, hackers and data breaches. And let’s imagine that a sizable volume of your personal, business and health data were online, how amazing would this be to get access to the most personalized support and answers to your most complex issues and problems?

However great data is, and despite all the amazing things we are able to do with it to solve problems, when it comes to people it is universally agreed that there is a need to treat personal data with respect. To ensure that this happens, the data protection laws that already existed have been updated to meet the needs of an increasingly data rich, online and digital world – so as businesses we now have the responsibility of meeting the legislative requirements of GDPR.

When asked about the regulation, Julian Saunders, CEO of PORT, recent graduate from Startupbootcamp InsurTech’s 2017 cohort states:

“The GDPR changes everything when it comes to managing personal data. New privacy and security demands mean your brand reputation is at stake. At present, we are in a world of disconnected systems but the future nirvana for personal data is that it will flow seamlessly between people and businesses to the benefit of both. Compliance is a great start but GDPR ushers in cultural changes that go way beyond mere compliance. My recommendation for any business is to start your preparations early and be ready for the opportunities that will emerge from a more connected world of free-flowing personal information.”

GDPR is the new data protection legislation formed by the EU that—regardless of Brexit—will be adopted in the UK from 25th May 2018. GDPR stands for General Data Protection Regulation and refers to all the customer data your business collects, handles and holds. GDPR is being introduced to meet rising demands from the consumer to provide greater levels of data regulation and compliance and to ensure that personal data is used and held responsibly in a transparent manner with the full understanding of the customer.

There’s an analogy that GDPR is like teenage sex. Everyone is talking about it, few people are actually doing it and those that are doing it are probably doing it badly. [Tweet this]

The reality is that GDPR will not sort itself out and the ICO (Information Commissioners Office) will not be very forgiving if you are not ready for it by 25th May 2018.  So to recap, what are the main elements of GDPR that will impact the insurance industry?

  1. Consent – if you are holding personal data about your customers you have to be able to prove that you have their implicit consent to use and profile their data.
  2. Data Portability – your customers own and have control of their own data, you are just a custodian of it and therefore your use of it is only temporary whilst they are your customer. If they choose to move to a new insurer, you are legally obliged to pass all that customer’s data to their new insurer and erase it from your database.
  3. Right to be forgotten – or right to erasure. Under GDPR legislation, businesses need to make sure that every reasonable step has been taken to rectify or delete inaccurate personal data.
  4. Security & Confidentiality – you need to prove that adequate measures have been taken to ensure the security and confidentiality of your customer data such that it is unintelligible to any person who is not authorised to access it. In the event of a data security breach, the ICO must be notified within 72 hours of you becoming aware of a breach.

Antony Elliott, Group Head of Business Transformation at Zurich adds:

“GDPR raises some complex challenges for insurance companies; we need access to personal data to underwrite well, but we need to treat it in a way that is transparent and that engenders trust with the customer. Start-ups in this space have a great opportunity to help customers to manage their data rights and provide them with data portability. Many start-ups we see focus on artificial intelligence, but in future the guidelines on automated individual decision making should see them put greater emphasis on explainable artificial intelligence.” 

There are many other details still emerging about how the new GDPR legislation will impact your business whether big or small, and it is necessary to stay informed about them. The penalties for failing to meet new GDPR regulations are stiff, with fines of up to €20m or 4% of your global turnover, whichever is highest. So ensure that you are not one of those businesses that waits until the last minute to put the right controls and processes in place to fulfil the requirements of the new regulations.

Erik Abrahamsson, CEO of Digital FinePrint shares:

“Because we have built our platform to be GDPR compliant from the ground up, we don’t have to retrofit or change any legacy systems. Features such as opt-in, data portability and the right to be forgotten are already included in the Digital Fineprint platform. This means that the insurers we work with can rest assured that they are compliant when using our technology, and some are even asking us to consult them on their GDPR transformation! And this is the key while new businesses have an advantage to be GDPR compliant from the outset, many businesses have to work out how to.”

Awareness of this legislation needs to disseminate down from executive levels, with full level buy-in and understanding of the impacts of the change across their business to operational levels. Someone needs to be employed as the data protection expert with full responsibility across the business for implementing changes to meet the regulation. Everyone in the business who handles personal data must be educated and trained in the key elements of the legislation, no small task.

Saunders adds:

“We’re working with a lot of businesses grappling with GDPR right now; it’s complex. The one piece of advice I’d give is to get started now – GDPR will affect every business in unique ways so you need to understand these as soon as possible so you can respond appropriately.”

There is no doubt that having data online is great for humanity and to solving many problems that humanity faces, as Robert Cailliau stated so long ago. There are huge opportunities to be gained from the responsible use of customer data in our businesses; however, this cannot be without responsibility—implement changes to meet GDPR now and build a culture that Gets Data Protected Responsibly.

Sabine VanderLinden

CEO InsurTech Business of Startupbootcamp and Rainmaking