What is GDPR and why does it matter? Good question. General Data Protection Regulation is another piece of law from the EU, and it seeks to offer individuals extra privacy and rights over their personal data. In particular for insurance companies, the sections regarding giving consent in clear, accessible terms, and the re-use of customer data via third parties, are perhaps the biggest areas of change.
The new legislation comes into effect on May 25th 2018 and it applies across the EU, indeed it offers the EU the power to fine companies 4 percent of their global turnover if they breach the regulations – no matter where the company is headquartered. If you trade in the EU, then you are subject to GDPR, so it’s serious regulation.
Main points from the EU’s website here by the way.
Neil Wilks, Head of Tech at Auger, a leading specialist in water related claims, takes a look at the implications of the new rules across the insurance sector;
Insurance needs ‘streamlining’ for GDPR
The insurance industry will need to streamline its processes to face the challenge of GDPR when it comes into effect in May, and that’s because GDPR allows for collective enforcement of individuals rights, but is less beneficial for insurers.
The new GDPR provides a potential avenue for an EU enforcement of rights against giants of industry and tech, which would be prohibitive for individuals to pursue alone. This is great news for customers but less so for large insurers who may have been able to lever their legal expertise in a typical David versus Goliath scenario.
What underpins GDPR is the concept that a data subject, typically the customer, should be engaged in an ongoing manner to ensure their continued consent for a company to process their data. As opposed to a ‘smash-and-grab,’ where they obtain consent up front when a service provider has more leverage over the customer and then uses that consent to process their data indefinitely.
From an insurance perspective, processes need to be streamlined and transparent so that all parties comply with any request within a reasonable timescale. As an industry that is often ‘handicapped by legacy and disjointed systems,’ a simple request to delete a subject’s data can be time consuming and challenging to ensure all instances of the data are removed.
This highlights an accepted lack of agility in the industry which makes it ever more vulnerable to innovative disruptors who are not handicapped in this way or perhaps more worryingly, giants such as Amazon who are currently circling the industry. They already have the systems and processes in place to handle GDPR with the ease and lack of friction that have made their other services so successful.
With disruptors on the other side of the pond like Lemonade utilising technology and AI to decide the outcome of a claim and paying it in a reported three minutes, the future of insurance appears set to follow this frictionless model.
European counterparts who are subject to GDPR need to bear in mind that AI decision-making is not cast in stone – it can be challenged. Article 22 of GDPR places restrictions based on automated decision-making processes, which allow a subject to challenge and request an automated decision be reviewed by a human. For a customer whose claim is declined, their trust in an insurer could be eroded the minute they learn their decision was made by an algorithm, and they could be lost altogether should the human then reverse the decision.