GDPR - insurers start now or count the cost

Regulatory Timeline

The General Data Protection Regulation (GDPR) comes into effect on 25th May 2018, giving insurers (and all companies) 17 months from Christmas to comply. 

What is GDPR?

GDPR aims to protect personally identifiable data of EU citizens, wherever it is processed, through data processing and record keeping requirements, and is enforceable in law.

What is the impact on insurers?

GDPR will significantly impact insurers and brokers requiring close interaction between legal, compliance, underwriting and technology to establish a comprehensive response. It presents challenges for management on the use of client data as well as an opportunity to revise data management, governance and infrastructure.

Banks are arguably ahead of insurers in terms of processes and systems they can leverage for GDPR compliance due to a need for greater compliance with "know your client" legislation. This has historically had a lower impact on insurers due to the need to demonstrate a financial interest in the insured person or asset.

What is the cost of non-compliance?

The financial impacts are also significant with the current proposal that fines for non-compliance should be four percent of global turnover or €20 million, whichever is the greater. This is especially important for global re-insurers or organisations with entities in the London Markets and Specialties space. These entities can have few staff with simple systems and processes. However, any non-compliance will be linked to its extensive global turnover generating a disproportionate four percent risk.

So what should you do?

Insurers and brokers will need to:

• Modify underwriting procedures and systems to establish auditable, free and informed client consent for data processing
• Update infrastructure, processes and controls to support data redaction and portability requirements
• Establish data classification and monitoring solutions (sensitive data is often distributed widely across the insurer or broker)
• Enhance breach identification, reporting procedures and solutions
• Establish a comprehensive data protection control environment and governance

And where to start

A good place to start is to conduct a Data Privacy Impact Assessment to establish the key areas of risk and potential non-compliance with GDPR. This will help address identified gaps via enhancements to risk management, data management, processes, operations and security.