Risk Insider: Tony Boobier

Insurers Face a Busy 2017 or Big Penalties

By: | June 9, 2016

Tony Boobier is an experienced independent consultant focusing on insurance analytics. An international speaker, commentator and published author, he lies awake at night thinking about the convergence of insurance and technology. He can be reached at [email protected].

European-based insurers — and all other insurers doing business in Europe — need to be aware of the forthcoming General Data Protection Regulation (GDPR). It takes effect after a two-year transition period, in May 2018.

The intention is to make insurers and other organizations in Europe “fit for the digital age.”

The new regulation provides a single set of data privacy rules across Europe (and will apply even if the UK leaves the European Union, bearing in mind the forthcoming vote at the end of June). The rules govern how organizations — including their partners — store, share and process customer data.

GDPR is serious stuff. Insurers that breach the regulations will suffer fines of €20 million (about $22.8 million) or 4 percent of annual turnover, whichever is higher.

According to a recent survey, two-thirds of Europeans say they are worried they have no control over their online information.

GDPR’s underlying principle is that consumers have a right not only to protection of their data, but have a right “to be forgotten,” for transparency, and to know what data is being stored about them. Beyond this, they must explicitly consent to the use of their data.

As insurers merge or align with banks and other distribution chains, and seek a single view of the customer, this issue of consent might provide some interesting challenges.

There is also an obligation for all data breaches to be reported and for insurers to undertake regular risk assessments.

GDPR is serious stuff. Insurers that breach the regulations will suffer fines of €20 million (about $22.8 million) or 4 percent of annual turnover, whichever is higher.

Insurers will need to renew their focus on data transparency, security and storage — at a time when data volume is said to be growing at 30 percent annually, and with corporate data volumes doubling every two to three years.

At the same time, 50 percent of all global companies say they will struggle to meet the needs of the regulation unless they make significant changes to the way they operate.

It is impossible not to forget the impact of the recent Solvency II regulation in Europe, or to make comparisons. The need to comply with Solvency II consumed vital resources, created a major distraction from other initiatives and created a major supply/demand imbalance in the insurance marketplace that pushed up contractor rates. Will GDPR have a similar effect?

European insurers — and U.S. insurers with European operations — need to look at this seriously, reassess their data governance maturity and start to build a defensible audit trail.

With insurers also beginning to think more seriously about the continued impact of International Finance Reporting Standard 4, Phase 2, and the larger European insurers already planning fit-gap analysis for next year, 2017 is already shaping up to be a busy 12 months.

More from Risk & Insurance