We are the voice of insurance and long-term savings | Contact us

EU General Data Protection Regulation – three key issues insurers should consider

Raluca Boroianu-Omura, Manager, Conduct Regulation, ABI Raluca Boroianu-Omura, Manager, Conduct Regulation, ABI

A political agreement on the EU General Data Protection Regulation (GDPR) was reached in Brussels in December 2015, and whilst translation work and technical discussions are on-going, the meaning of the agreed text cannot be changed. The final procedural steps will take place over the next three months, with a view to publishing the Regulation in the Official Journal of the European Union (OJEU) in the first half of 2016, meaning the Regulation would come into force in mid-2018. Over the next two years, European and UK regulators will be working to ensure a smooth implementation of the Regulation, including issuing guidelines.

Moreover, special attention should be given to the impact of the Regulation on frontline interaction.

With this in the background, companies will start exploring the concrete ways in which the Regulation impacts on them. There are three issues that insurers and their Boards should be considering:

  1. The operational implementation of the Regulation
  2. The strategic and cultural shift in the approach to data
  3. IT infrastructure and investment

The operational implementation of the Regulation

Even though the Regulation has not been published in the OJEU yet, the political agreement represents a clear indication of the final published text. So it is right that the GDPR be included in the companies’ risk registers and there is potential for periodic discussions by the Risk Committee to identify risks posed by the Regulation and devise possible mitigation strategies.

Moreover, special attention should be given to the impact of the Regulation on frontline interaction. Companies should dedicate almost as much time considering how these changes are communicated to stakeholders, most fundamentally to customers, as they do to implementing changes. If customers are unaware or misinformed about their rights under the GDPR, can frontline staff deal with this in an efficient way that satisfies both customer and company?

An example is the right to be forgotten / right to erasure. This is one of the flagship provisions of the GDPR and some of the initial communication and media coverage has been rather misleading, portraying this as an absolute right which can be exercised without any restrictions. In reality, the right is not absolute and, at times, it could be necessary for frontline staff to explain to customers that their data cannot be deleted completely. For instance, there may be legal or regulatory obligations for the insurer to keep this data for a given period of time. Frontline staff need to understand the nuances of the right to be forgotten and how to explain this effectively to customers.

The strategic and cultural shift in the approach to data

Innovation represents an increasing focus for insurance companies. Driven by a desire to improve services and products for customers, and by effective competition in the insurance sector, innovation takes many forms. However, while Big Data is not yet used widely across the industry, the new approaches, in risk pricing, marketing, distribution or communication, tend to have one feature in common – an increasing us of data.

Therefore, businesses today and tomorrow, should consider two questions:

  1. how data can be utilised in innovation
  2. how to best ensure that companies protect data robustly
A traditional compliance-based approach to data protection will no longer suffice.

Answering these will need to take into account regulatory developments, reputational considerations and evolving customer expectations. And the answers are likely to develop constantly which will therefore require on-going debate.

A traditional compliance-based approach to data protection will no longer suffice. Both regulatory requirements and customer expectations will demand much more from companies, and so will both the competitive insurance market and the competitive data market. A strategic and cultural shift will be needed – project teams charged with innovation will need to be truly cross-functional and cross-cutting. Integrating the right people into these teams is key to bring different perspectives to the table. From the word ‘go’, these project teams should be able to advise on both the regulatory and reputational risks, and the opportunities posed by the use of data.

IT infrastructure and investment

Having the right IT system in place is necessary both to ensure that companies respect the fundamental right to data protection of individuals, and ensure that firms maximise the benefits of data usage, to the advantage of as many customers as possible.

Not having the right IT infrastructure and investment in companies has the potential of becoming the single biggest regulatory risk for firms, one that may be underlined further by the implementation of the GDPR.

Across all industry sectors, Boards will need to consider if firms are making the right level of investment and it is targeted in right place, to build a future-proof IT system that is flexible enough to meet regulatory requirement, and support innovation both today and tomorrow.

Raluca Boroianu-Omura is Manager of Conduct Regulation at the ABI


Last updated 29/06/2016