A new data-protection regulation could seriously hamper insurers’ efforts to combat fraud, an insurance law firm has warned.
The General Data Protection Regulation (GDPR) will be in force in a year’s time, taking effect on May 25, 2018. However, according to specialist insurance law firm Horwich Farrelly, “significant parts” of the regulation need further government guidance on their “interpretation and application in the UK.”
“Until this guidance is forthcoming, Rick Preston, head of intelligence services at Horwich Farrelly, believes there is a real danger that insurance fraud detection may be seriously hampered by the regulations if they are applied as currently drafted,” the firm wrote in a news release.
The current Data Protection Act allows insurers and law firms to use personal data to investigate potential fraud without having to get permission from the people involved. The GDPR, however, keeps a much tighter leash on insurers’ ability to use that data.
“Under the new legislation, the government may need to approve that companies are ‘competent authorities’ in order to continue to undertake certain categories of civil investigation and intelligence sharing,” Preston said. “In practical terms, insurers and law firms will have to firm up their policy wordings, processing notices and client-care letters to be explicit as to the nature of their intentions in regard to counter-fraud data-sharing practices, seeking express authority to do so.”
Under the GDPR, if an individual challenges an insurance company, the burden of proof would be on the insurer to prove it had “legitimate grounds” for storing and processing data.
Horwich Farrelly said it was “lobbying hard” for further clarification of the regulation. In the meantime, however, the firm recommended that insurers make certain they’re taking steps to comply once the GDPR takes effect.
“The GDPR provides considerably tougher penalties than the DPA with fines of up to 4% of annual global turnover or €20 million, whichever is greater,” Preston said. “If the May deadline isn’t enough of an incentive, then the stiffer penalties should encourage firms to act now and prepare for regulatory changes.”
Related stories:
One year to GDPR: is the insurance sector ready?
GDPR: How will it affect your business?
