New data protection laws to have “considerable impact” on insurance industry

The right for consumers to have personal data removed is going to be a challenge for insurance companies

New data protection laws to have “considerable impact” on insurance industry

Insurance News

By Lucy Hook

An overhaul of UK data protection laws that will effectively implement the EU General Data Protection Regulation (GDPR) will have a significant effect on the insurance industry, according to one expert.

Among a number of changes that the new Data Protection Bill will bring in is a strengthening of the ‘right to be forgotten’ rules, which will give more power to consumers as to the use of their personal information.

While rules about the ‘right to be forgotten’ already exist, the GDPR brings “significant” changes, although many businesses still don’t know what this means for them, Guy Cohen, head of policy at privacy engineering firm Privitar, told Insurance Business.

Currently, the basis of the ‘right to be forgotten’ is dependent on how the information was processed – where data is processed under contract or on the basis of consent, consumers have an absolute right to deletion of their data by withdrawing consent or on the termination of the contract. However, where data is processed under the basis of ‘legitimate interest’ – which Cohen says will apply to many insurance companies – consumers do not have an absolute right to deletion but the power to request it, and must prove that their information should not be used.

However, under the GDPR, the onus will now be on the data controller to demonstrate why it should be allowed to continue processing the data, which will have “considerable” ramifications for the insurance industry, according to Cohen.

“That’s actually quite a significant departure,” he said of the changes. “Because what it means, is it’s much harder for organisations to ignore to a ‘right to be forgotten’ request, or an objection to processing on the basis of legitimate interest.

“The amount of data that these organisations hold can be huge, and many of them do not have the data infrastructures to effectively find data relating to an individual and to delete it. Often, they don’t have either mechanism – they don’t have the data discovery tools, and they don’t have the data deletion tools. So placing a greater onus and burden on them, on being able to demonstrate that they’ve complied with [the GDPR], is going to be challenging.”

While for many businesses the new regulations will pose a challenge, there is a silver lining, according to Cohen. Those that use the new regulations as an opportunity to change the way that they collect and store data may see benefits in the long run, he said.

“Insurance is about being able to predict risk best – so if you can leverage your data assets better, then you’ll have an advantage over competitors,” he said. “Those that are slow to react, and do the minimum in just meeting the basic requirements but don’t see it as a strategic opportunity, will probably find it harder to turn those compliance challenges into business opportunities.”

Related stories:
Cyber insurance: the risk your clients need to know about
How much of an impact is regulation having on the industry?


Keep up with the latest news and events

Join our mailing list, it’s free!