We regularly publish Opinion pieces at Insurance-Edge, and this latest article looks at the potential claims which may arise from the implementation of GDPR. The complex rules on data handling place the responsibility of looking after consumer data on the insurer, or third parties, such as claims management companies, or brokers.
It remains to be seen what will happen if a customer feels their data has been incorrectly passed to a third party, and that in turn has caused them a financial loss – in other words, they have a basis to make a claim.
In this piece, written by Neil Wilks from Auger, he looks at the potential risks for companies active in the insurance sector.
The General Data Protection Regulation (GDPR) rules could create chaos through the insurance industry supply chain on the scale of PPI. Those companies or individuals who suspect insurance companies may be storing or processing data illegally will almost certainly be encouraged to pursue a claim much in the same way as PPI claims mushroomed.
The additional issue here for insurers is the approved supplier’s delivery model. Although many insurers and adjusters will look at the governance surrounding sub-contractors, they also need to consider the implications of the data security of smaller local or regional suppliers employed by the main contractor (known as sub-processors) further down the line who may not have the same processes in place.
For the insurance industry, GDPR is a big shake-up, and will cause significant disruption to how insurers store, manage and process personal data. They could find themselves on the wrong end of various legal scenarios if they don’t put their house in order.
Auger is a specialist in water mains and drainage claims across the UK, so one scenario could be that Insurers will face claims cases that are genuine, where there has been negligence and damaging effects of misuse of company or an individual’s data. There will also be the no-win no-fee scenario, the ‘ambulance chasers’ who will want to maximise it just as many have done with PPI.
As insurance companies often both control and process data they need to be fully prepared for the new rules to come into effect.
The most senior management at board level may well be held accountable for any failures to implement GDPR and the Information Commissioner’s Office will be able to take action against organisations and individuals that collect, use and keep personal information once the regulation is introduced from May 25.
Customers will be entitled to ask insurers to delete their personal data where it is no longer required for its original purpose, or where they have withdrawn their consent. Under the GDPR, insurance customers can request for their personal data to be transferred to a competitor.
If there is a data breach for whatever reason, the legislation allows 72 hours to report it. Fines for non-compliance of the GDPR could be up to four per cent of total annual turnover.
More information, including a selection of videos explaining the rules, are available at the EU website here.