Insurers facing data protection trouble
Some insurers are implementing only the minimum data protection standards as required in a jurisdiction—but this approach will cause problems for them, according to Darren Wray, CEO of consultancy firm Fifth Step.
In preparation for the implementation of the onerous General Data Protection Regulation (GDPR) in Europe in May 2018, a number of global insurers have opted to adhere to arguably lower required standards in other jurisdictions such as Bermuda or the US, Wray said.
This may help insurers reduce costs. However, at the same time, this lowers their ability to be flexible to send and process data elsewhere, where data protection rules are less stringent.
While it may be best for global insurers to have few data locations to allow for the efficient management of data, this is becoming increasingly difficult as countries such as Russia and China are pushing to keep data concerning their citizens within the country.
Organisations in breach of GDPR will face significant penalties. Companies can be fined up to 4 percent of annual global turnover, or €20 million ($24 million), whichever is greater. Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location.
Many organisations based outside Europe have very little understanding of the GDPR requirements and if they have data breaches with European data they will incur big fines, Wray said.
Among challenges insurers face while preparing for GDPR is understanding the nature and the scope of what personal data is, he explained. The new regulation includes, for example, genetic information such as used in biometrics for identifying people through fingerprints or iris scans.
Such data are now deemed personal sensitive information. The new regulation also considers IP addresses as personal information. Organisations which are collecting IP addresses on their website logs, for example, need to treat that as personal information and ensure that it is protected.
Location data is another aspect causing organisations trouble as they prepare for GDPR. Many firms provide mobile phones to staff and these provide the ability to be tracked. That information is understood as personal information under GDPR and has to be locked down; it can’t be shared, and can’t be used for a purpose other than what it is stated for, Wray said.
“The biggest challenge is coming down to the fact that organisations have left it a bit late,” Wray said.
Get the latest re/insurance news sent to your inbox every day - Sign up to our free email newsletters
Today’s Monte Carlo stories
Beale mulls ILS solution to protect Lloyd’s market using new UK regulations
Allianz may seek additional reinsurance protection for cyber
VIG Re sets sights on Germany, France
Buyers seek extra protection after scare
XL Catlin sets its sights on the ‘fascinating’ Indian market
Costs need to fall to allow for re/insurance growth: Swiss Re
Irma, Harvey risks not reflected in price
Specialty lines ‘the next frontier’ for ILS
“The first thing the Bermuda Market will do is pay”: KPMG
Irma will focus rating agencies on reinsurers’ ERM performance
Barbican eyes new opportunities ahead
Irma an opportunity for ILS to prove its credentials
Bond Dickinson unveils US combination deal
Irma: too early to see an effect on rates
JLT Re well placed for changes in market
Fourth industrial revolution will transform insurance value chain
