March 16, 2018
How GDPR Will Affect Insurance
Being unprepared for GDPR come May will lead to a number of issues for insurers, especially the bigger they are and the more data they deal with.
From May 2018, new data protection laws will be implemented by the EU to help protect citizens’ data. This looming deadline has made this a particularly hotly debated topic, in all sectors, not simply insurance. However, the question of how this new legislation will affect the insurance sector and future policies have been a contentious issue.
Being caught unprepared by GDPR come May will lead to a number of issues for business, especially the bigger they are and the more data they deal with. As the insurance sector deals with intimate details of people’s lives and financials, it is vital that the implications of GDPR are considered and the necessary steps are taken to prepare the industry in time.
An Overview of GDPR
At the face of it, GDPR (General Data Protection Regulation) is designed to strengthen and unite data protection for all individuals with European Union citizenship. This includes the export of personal information outside of the EU, also. Meaning that this is a change which the whole world is watching with bated breath. This officially comes into effect from May 25th, 2018.
The data specifically covered by GDPR includes name, date of birth, physical address, online IP address and other attributes that contribute to a person’s online presence. Non-compliance to protect this data comes with hefty fines. These can be either up to €20 million or 4% of a company’s annual turnover (whichever is the highest sum).
See also: How to Avoid Being Bit by GDPR (Part 1)
The legislation specifically states that GDPR will have a greater impact on businesses with 250 or more employees, however, that does not mean that small business or even sole traders are exempt.
Does Insurance Cover GDPR?
Well, yes and no. It’s becoming a little bit of a grey area in the lead up to GDPR. Many companies are relying on their Cyber insurance policies to cover any fines they may garner as a result of GDPR, however, many professionals are stating that this will be unlikely to happen.
Although many companies are trying to adapt their cyber insurance to cover GDPR, many are saying this is unrealistic. For most insurers, cyber insurance has a maximum cut off point of around £400 million, typically. GDPR has the ability to demand 4% of global turnover for larger companies – which can quickly outvalue this. How can insurance policies cope with this?
This also begs another question: where does this leave freelancers and other smaller business, who perhaps can’t afford multiple types of insurance policies, or at least not one that can cover the eye-watering €20 million that GDPR calls for? Of course, there is a lesser tier of fines (2% of revenue or €10 million), but this is for lesser offences and not levelled for the turnover or size of a business.
In fact, privately some insurance companies are considering that – realistically – GDPR may be wholly uninsurable in the long term. However, many are waiting for a test case in order to see whether this is the case or not.
New Wave of Insurance
So, the big question: will GDPR cause a new wave of insurance to be created?
At the moment, it certainly seems that current insurance policies will have to be adapted in order to try and cover GDPR. There has been a surge in people taking out cyber insurance in the hope that it will cover them in the case of a GDPR infraction. And if this adaption fails, perhaps in the case of cybersecurity, the insurance industry must look to move forward with a wholly new type of insurance. Perhaps this is a specific policy which covers the fine up to a certain point, leaving it up to the business to cover the rest of the cost themselves.
The ability to accurately measure risk is at the heart of the insurance sector. Which means that, as far as GDPR is concerned, the sector could be a leading force in setting the standard against this new legislation.
Effect on the Insurance Sector
According to Mark Williamson of Clyde & Co, many companies in the insurance sector itself will not be GDPR compliant by May. But, what does this really mean?
Confusion surrounding GDPR and how to deal with it, industry-wide, has meant that many companies have been slow to take any action at all. Insurance companies both control and process data, two key factors being considered by GDPR, the need to adapt is vital. This includes insurance that is handled outside of the EU, so it isn’t an issue that will be resolved overnight.
Policyholders are often switching insurance providers for better deals and rates. Moving forward, these changes may also be an incentive for people to choose an insurance provider, as proving able to handle GDPR will be a huge incentive for potential customers. In turn, it may also make insurers more wary of new customers. As data processors who are not compliant will be much more open to being fined and having to claim on their insurance policy.
GDPR and Brexit
The question of whether or not Brexit will also have an effect for British insurers has been raised. As the scission between Britain and the EU looms ever closer, the true impact of the move looms as a large question mark for many industries.
See also: How to Earn Consumers’ Trust
But, as GDPR will be enforced both in and outside of the EU, this is one issue that Brexit will seemingly have no impact. Meaning at least one straightforward answer when it comes to GDPR for the insurance sector.
A Need for Change
If one thing is clear as we move closer and closer to the May 28th deadline, it is the fact that change needs to happen in the industry sector. The insurance sector needs to become fully compliant in the run-up to this deadline, while also auditing itself more carefully and even appointing a Data Protection Officer if necessary.
Perhaps, the future solution will be a new type of policy. Currently, however, that seems to be a long-off thought for many insurance brokers. The immediate necessity is compliance, post-May we may see a move for a more concrete policy change. It is something to be watched carefully, especially in the first instance. As the first few cases, whether large or small, will help to set the precedent moving forward.