The General Data Protection Regulation (GDPR, Regulation (EU) Directive 2016/679) which is coming into force on 25 May 2018, will standardize and increase the protection of personal data throughout Europe. Its overriding goal is to return the control of personal data to EU citizens and residents, and at the same time imposing significant sanctions for non-compliance (up to EUR 20m or 4% of the total worldwide annual turnover).
GDPR significantly increases the existing data protection requirements by extending the territorial scope, the rights of individuals and the specific obligations of financial institutions:
We have previously published a more detailed introduction of the GDPR scope, its major implications and a recommendation for a three-step implementation approach on this platform (see: https://www.insurance-hub.eu/general-data-protection-regulation/).
For insurance companies with complex interrelated systems, timely GDPR compliance will pose a major challenge. In fact, most insurers have already launched initiatives to identify GDPR gaps and to define the required measures for achieving compliancy. One of the major challenges for each institution, however, is to define its individual target compliance ‘level’, since the regulation leaves a wide scope for interpretation and recommends a tailored approach, taking into account the results of a privacy impact assessment.
Therefore, each insurance company has to address many individual issues in the course of the GDPR implementation. This article focuses on how to implement the ‘right to erasure’ (also referred to as ‘the right to be forgotten’).
Right to erasure
GDPR Article 17, paragraphs 1 and 2 state the specific grounds for the right to request erasure of personal data. Of these, points (a) – (c) of paragraph 1 in particular, are applicable to insurance companies:
“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay… where one of the following grounds applies:
(a) The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) The data subject withdraws consent…
(c) The data subject objects to the processing…”
Within the same article, point b of paragraph 3 refers to other regulations, which may overrule the ‘right to be forgotten’:
“Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
(a)…; (b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller…”
This does not only oblige insurance companies to manage and control the purpose and consent of processing personal data for every individual in all relevant cases, but also to be aware of further GDPR-related laws and associated retention phases. The main reasons for keeping personal data lie in the codes of commercial law, yet there are many other exemptions, which overrule the right to be forgotten, at least for a specific period.
Operationally speaking, if an example customer ‘John Doe’ who holds several active insurance policies requests erasure of his personal data, the insurance company must be able to immediately identify which data on ‘John Doe’ it holds, where it is stored, and for what purposes. As different purposes come with different retention periods, the insurance company will then need to be technologically capable to flexibly remove data from certain data pools used for specific applications: As ‘John Doe’ has revoked his consent and asked for data erasure, processing of personal data for marketing purposes is no longer allowed, but due to other obligations of the insurance company (e.g. to be able to prove the integrity of its balance sheet and the processed transactions), the data itself cannot be erased just yet.
As a consequence, GDPR requires institutions to achieve a much deeper understanding of the purpose for which personal data is kept. In order to do this, each item of information will need to be classified, not only by its purpose but also by the source from which it has been collected. These data classes then need to be validated against the applicable law and related retention phases.
We finalise this short example by outlining a high-level data erasure process in the following figure:
To implement an effective data erasure process, insurance companies need a comprehensive end-to-end view of all processes and systems dealing with personal data, while keeping in mind that this regulation is not only another regulation to deal with, but also a piece of the customer experience puzzle, i.e. an opportunity to demonstrate that the company is one of the ‘best in class’ in dealing with customer requests. In order to keep the customer as one main asset, institutions need to implement appropriate channels to capture requests and to keep the customer informed, especially about which data have been deleted and any exceptions, including the reasons. At the same time, details of customer requests need to be managed, the relevant data items and their location need to be made transparent, the checks on whether the data can be erased or not need to be carried out; and all this before any data can be erased. If exemption rules are identified, this may delay the erasure of data. Where third parties are involved, they must be informed of the erasure request and confirmation needs to be provided by them as well. Each of these execution steps can be very time-consuming and cause significant manual effort if the institution has no adequate tools to support the process.
From our experience, most insurance companies will not have implemented an ‘ideal’ supporting tool before May 2018. Therefore, they will have to use manual processes for data erasure. Looking into the future, new systems (either 3rd party or internally designed) to provide APIs to support data erasure should be available. The more challenging part, however, seems to be the collection (and maintenance) of all the meta data required to compile the list of relevant data items affected in combination with the exemptions. To do so, financial institutions need to implement a comprehensive view of all data belonging to individuals (e.g. as part of an extended business glossary according to BCBS239) as well as the data location and its purpose. Furthermore, they must include the information on whether individuals have given or revoked their consent to process and keep data.
This list of meta data can be enhanced to provide information on user access, data breaches, third party interfaces, etc.
GDPR clearly has the potential to keep insurance companies busy for a while, not only with achieving compliance by May 2018, but also with fully optimising their solutions to a mature and efficient level. The topic of data erasure discussed in this article will require several options and decisions under full consideration of the costs and benefits within the existing IT architecture.
Given the May 2018 enforcement date, we can assume that the possible target state will be not reached for all systems and processes. We therefore strongly advise insurance companies to implement their tactical response to GDPR with the roadmap for future development of the organisation and IT-landscape in mind. This approach particularly holds true for the right to erasure, which, in the short term, may only require a defined and tested manual process, which is also transparent, replicable and efficient.
Despite the effort and challenges, however, it is possible to spot opportunities within GDPR. Insurance companies are well advised to focus and concentrate on these. Data is often mentioned as the “gold of the 21st century”. Therefore, showing customers how seriously an institution takes its control over their customers’ data will be fundamental in “mining this gold”.