The General Data Protection Regulation (GDPR) could become the new Payment Protection Insurance (PPI) as claims firms look for new ways to make cash, according to a CEO and GDPR author.
The data law, which comes into force on May 25, 2018, could become a focus for claims companies looking for ways to stay solvent as the window for making PPI claims comes to an end, says Darren Wray, chief exec of Fifth Step.
More than £40 billion has been paid out in compensation to UK consumers who were mis-sold PPI in what became a major scandal. But with the window for claims coming to an end in August next year, the next big thing for claims firms could be GPDR class actions, according to Wray.
“Those claims companies are now in a situation of evolving to the next opportunity, or closing up shop. Many of them are obviously looking at new opportunities,” Wray told Insurance Business.
“More than 10 million people have pursued PPI claims, so GPDR class action claims could be the way forward for claim companies – a scenario that has been laid out to me by recent conversations with some eminent legal professionals,” he said.
“All it will take is a few tweaks to implement a new type of process and some conversations with legal partners to smooth the path to arranging suits. The timing is right, the people are already in place and the motive is there. The only question to ask is: ‘why not go for it?’”
While the GDPR implementation date is just weeks away, many organisations remain unprepared for its arrival – and some may be mistakenly complacent. For the insurance sector, it’s crucial that brokers and insurers don’t assume that only those in personal lines need be concerned.
“Exposure-wise, the insurance sector collects a large amount of data, and a large amount of that data is considered to be personal information under the GDPR,” Wray said. “That’s particularly true of personal lines – that makes sense. But it’s also true of commercial lines.
“Managing agents and brokers in particular are likely to be more exposed, and are likely to be collecting and processing far more personal data that they think.”
With the vast amount of data collected by the industry, it’s not just the type of data that needs to be looked at – but whether it needs to be collected at all.
“Part of GDPR says that you should only process and capture the information that is required for the provision of the service,” Wray explained.
In the insurance sector, there are a lot of instances where information has been collected early on but may no longer be needed, and that could pose problems when it comes to GDPR compliance.
“Now, insurers big and small, MGAs, and brokers are having to reconsider some of that information that they’re capturing,” Wray said.