On 27 April 2016, the European Commission adopted the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) which will enter into force in May 2018. The GDPR will replace current national data protection regulations such as the German Federal Data Protection Act (Bundesdatenschutzgesetz), the Data Protection Act in Sweden based on the European Commission Directive 95/46 or the UK Data Protection Act of 1998. The GDPR significantly extends the regulatory requirements related to customer and counterparty data protection by strengthening and unifying the data protection regulation within the European Union.
The recently published “State of European Data Privacy Survey[i]”, which examines more than 900 business and IT decision makers from various industries in France, Germany and the United Kingdom, concludes that the vast majority of European businesses are concerned about complying with the new GDPR regulation. In particular, 96 percent of companies do not fully understand the GDPR and 23 percent state that their companies will not be fully compliant when the regulation will enter into force in 2018. The latter is especially problematic since the provisions for infringements were drastically exacerbated with administrative fines reaching amounts of up to 20 million euros or 4 percent of annual turnover.
Goal of the GDPR
The goal of the GDPR is to protect natural persons (data subjects) living in the European Union regarding the processing of personal data and to anchor the protection of personal data as a fundamental right in supranational law. (NB. The UK government also stated in 2017 that GDPR will be adopted into UK law regardless of Brexit.) The GDPR addresses data protection, with privacy at its core, in a widely digitalized world and provides a single data protection framework applicable for all institutions processing data in the European Union, or more precisely, the European Economic Area. The GDPR focuses on the design of data protection processes and the organizational approach of data protection in companies, i.e. how to take privacy seriously and how to protect sensitive personal data of customers and employees. Addressing the processes and organizational structure also leads to major changes in the technical conception and requires the definition of technical details. The GDPR strongly builds on data management capabilities which have already been triggered in many insurers by external requirements such as Solvency II and IDD or business strategies for further digitalization. In this context, the main challenge is not only to align the requirements imposed by the GDPR with already implemented capabilities and ongoing programs, but also to focus explicitly on the business benefits of privacy protection.
Importance for insurers
Aside from large technology companies, insurance firms are amongst the businesses that are most directly affected by the GDPR since they process and store large amounts of data from private individuals. Insurance firms’ increasing use of their customers’ data has been of tremendous value both to the insurance firms themselves but also, to their customers through improved and more accurate pricing. The emergence of digital distributions models including PCWs has increased this data dependency.
The key issue for insurers with GDPR will be how to gain customer consent for profiling activities and whether this consent has been freely given. While some exemptions exist within the regulation which might be used for this purpose, it remains to be seen what regulators’ approaches will be to profiling using sensitive data such as health information or data used for fraud analysis.
Insurance firms will also have to determine how they deal with data stored for actuarial analysis. In these cases it may be possible to remove data elements which identify the customer from the data set.
Major implications and changes arising from the GDPR
An initial GDPR impact assessment shows that the GDPR directly affects European insurers and that it has major implications on the three core areas of organization, processes and systems.
Several aspects of special relevance for the organization, processes and systems of an insurer are identified, which need to be addressed in order to achieve compliance with the GDPR:
- Establish a privacy office and privacy change agenda as well as senior management reporting on personal data protection
- Develop and implement a target operating model for data protection governance with policies and a framework including organization, processes and roles / responsibilities (controller, data protection officer, etc.)
- Roll out a defined, firm-wide privacy organizational setup, implement committees and incorporate new roles into existing network
- Implementation of processes for relevant personal data scope identification (personal data required by regulations vs. non-required)
- Definition and implementation of processes for client consent management, disclosure of stored personal data, correction of wrong personal data, right to erasure and portability
- Design, implement and document privacy impact assessments and train respective persons in the relevant processes
- Review and adapt current IT architecture regarding data storage, transformation and processing of personal data to fulfil GDPR requirements
- Expand meta data management (incl. MDM systems) and establish / expand data lineage to comply with data protection requirements
- Perform a personal data inventory the creation of a harmonized business glossary and mapping of all personal data
The three core areas are supplementary and each of them needs to be covered in order to become compliant. Even the best systems and processes are not able to compensate for a gap in the organizational structure of the insurer, such as a lack of the mandatory data protection officer.
By breaking down the high level requirement analysis to a more practical approach, several key GDPR articles with the highest immediate relevance for the sector can be identified.
Deep dive into selected GDPR requirements
From our perspective, special attention in terms of complexity and efforts in the implementation should be paid on a number of GDPR articles.
Article 7 of the GDPR requires companies to obtain, document and prove the explicit consent if they want to process data. This provision will lead to a substantial increase in documentation obligations for insurers and excludes for example the possibility to use pre-ticked boxes or hidden contractual statements such as “by using this service you agree to all of data processing”.
Article 17 of the GDPR requires the deletion of data if it is no longer used for the purpose it was originally collected or if the consent for the storage of data is revoked. Therefore, organizations have to decide whether they have a legal obligation or another legitimate purpose to retain the data or whether it can be deleted. E.g. For the purposes of actuarial analysis based on historical data it may be necessary to anonymise the personally identifiable elements of data. Organizations also need to determine if data has been shared with third parties and whether those need to be instructed to delete the data in question as well. As a consequence, organizations have to decide to what extent they re-architect systems, put in place processes to proactively deal with this or deal with requests on a case-by-case, i.e. reactionary basis.
Article 35 of the GDPR requires firms to conduct a privacy impact assessment (PIA) whenever they implement a new product or process. The PIA should assess the risks to privacy within a product or process activity. It has to include descriptions of mitigating controls that will be built into the program to address privacy risks and compliance issues that have been identified. Firms have to nominate qualified individuals with the responsibility of undertaking a PIA during the early design stages of relevant projects and include PIA in the new product process.
Article 37 of the GDPR requests the designation of a data protection officer (DPO) who has appropriate training and expertise in data protection. One possibility to document expertise might be, for example, a CIPP/E certification granted from the International Association of Privacy Professionals. The DPO needs to be independent and reports directly to the top management. This is a clear indicator for their high organizational anchoring.
How to get a grip on GDPR
We propose a three-step approach as outlined in Figure 3 to get a grip on the GDPR and build a consistent implementation road map. First, a quick check is performed to assess the current level of privacy and to start the preparation for enhancing data management capabilities. In a second step, the road map is set up and target models for the privacy organization, required processes and collaboration model are defined. The defined target models must fit into the firm’s current data strategy and the GDPR project needs to be properly integrated into the overall digitalization strategy. In addition to the conceptual work for defining required policies, organization and procedures, special focus lies in the enhancement of the business glossary—if already existent—in terms of privacy data and the identification of holding applications. During the final stage, the implementation planning is executed and execution support is identified.
Implementing the GDPR is not an option, but a legal requirement which needs a high degree of commitment and resources. However, the new requirements offer firms the opportunity to rethink data protection and the possibility to combine the necessary with the useful by gaining a much clearer and fully documented picture of all the customer data stored within the organisation. Addressing questions like “where is the data stored?” or “which part of the organization is in control of the data?” will now be a regulatory requirement. Simultaneously, insurers have to start thinking about which data they own and the best ways to exploit this data. Modern and flexible state-of-the-art data storages provide the basis for advanced analytics to create new products and targeted offerings for cross and up-selling, particularly if the issues concerning consent for profiling can be overcome. Moreover, proper data management enhances the user-centred customer journey, making it more compelling and highly differentiated by combining personalization, speed and ease of use for all processes. Furthermore, a high degree of security and well-designed privacy processes can be a unique selling point and provide a substantial competitive advantage. People become increasingly sensitive to the topic of data protection and are willing to pay for their privacy. To conclude, insurers should not only see the regulatory efforts associated with the GDPR, but rather focus on the numerous possibilities induced by a well-designed internal data protection framework.
[i] Official statement: https://www.symantec.com/de/de/about/news/release/article.jsp?prid=20161018_01