13 September 2017 Insurance

Insurers facing data protection trouble

Some insurers are implementing only the minimum data protection standards as required in a jurisdiction—but this approach will cause problems for them, according to Darren Wray, CEO of consultancy firm Fifth Step.

In preparation for the implementation of the onerous General Data Protection Regulation (GDPR) in Europe in May 2018, a number of global insurers have opted to adhere to arguably lower required standards in other jurisdictions such as Bermuda or the US, Wray said.

This may help insurers reduce costs. However, at the same time, this lowers their ability to be flexible to send and process data elsewhere, where data protection rules are less stringent.

While it may be best for global insurers to have few data locations to allow for the efficient management of data, this is becoming increasingly difficult as countries such as Russia and China are pushing to keep data concerning their citizens within the country.

Organisations in breach of GDPR will face significant penalties. Companies can be fined up to 4 percent of annual global turnover, or €20 million ($24 million), whichever is greater. Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location.

Many organisations based outside Europe have very little understanding of the GDPR requirements and if they have data breaches with European data they will incur big fines, Wray said.

Among challenges insurers face while preparing for GDPR is understanding the nature and the scope of what personal data is, he explained. The new regulation includes, for example, genetic information such as used in biometrics for identifying people through fingerprints or iris scans.

Such data are now deemed personal sensitive information. The new regulation also considers IP addresses as personal information. Organisations which are collecting IP addresses on their website logs, for example, need to treat that as personal information and ensure that it is protected.

Location data is another aspect causing organisations trouble as they prepare for GDPR. Many firms provide mobile phones to staff and these provide the ability to be tracked. That information is understood as personal information under GDPR and has to be locked down; it can’t be shared, and can’t be used for a purpose other than what it is stated for, Wray said.

“The biggest challenge is coming down to the fact that organisations have left it a bit late,” Wray said.

Get the latest re/insurance news sent to your inbox every day -  Sign up to our free email newsletters

Today’s Monte Carlo stories

Beale mulls ILS solution to protect Lloyd’s market using new UK regulations

Allianz may seek additional reinsurance protection for cyber

VIG Re sets sights on Germany, France

Buyers seek extra protection after scare

XL Catlin sets its sights on the ‘fascinating’ Indian market

Costs need to fall to allow for re/insurance growth: Swiss Re

Irma, Harvey risks not reflected in price

Specialty lines ‘the next frontier’ for ILS

“The first thing the Bermuda Market will do is pay”: KPMG

Irma will focus rating agencies on reinsurers’ ERM performance

Barbican eyes new opportunities ahead

Irma an opportunity for ILS to prove its credentials

Bond Dickinson unveils US combination deal

Irma: too early to see an effect on rates

JLT Re well placed for changes in market

Fourth industrial revolution will transform insurance value chain

Don't miss our insurtech email newsletter - sign up today

Already registered?

Login to your account

To request a FREE 2-week trial subscription, please signup.
NOTE - this can take up to 48hrs to be approved.

Two Weeks Free Trial

For multi-user price options, or to check if your company has an existing subscription that we can add you to for FREE, please email Elliot Field at efield@newtonmedia.co.uk or Adrian Tapping at atapping@newtonmedia.co.uk