What GDPR means for the insurance industry

The good news is that the GDPR, and particularly the new mandatory data breach rules it introduces, should be a major driver in demand for cyber insurance policies in Europe.

The GDPR requires that controllers notify data protection regulators and affected individuals about any personal data breach which is likely to result in a risk to affected individuals.

Notification significantly increases the costs of responding to a data breach, as well as the the chances that affected individuals will make claims against the controller. Cyber insurance is already well established in the United States, which has had mandatory data breach notification laws for more than 15 years.

The not-so-good news is that the GDPR also introduces a wide range of new compliance requirements for businesses which handle personal data in Europe or personal data of individuals located in Europe.

Insurers handle massive amounts of personal data about their own policyholders and employees, but also a range of other individual – for example, people involved in an assault, witnesses to a motor vehicle accident, doctors who provide expert evidence about injuries.

Furthermore, much of the personal data that insurers hold about individuals is sensitive in nature – particularly information about a person’s health or medical treatment. These “special categories” of personal data cannot be processed unless the individual has given explicit consent to that processing, or in certain other limited circumstances, none of which readily apply to the insurance industry.

The insurance industry has voiced concern about this and the effect it could have on its ability to provide policies and process claims. The Lloyd’s Market Association has sought clarity on this point from the UK Information Commissioners’ Office (“ICO”).

The Association has said that either the ICO’s guidance must provide further guidance on the consent requirements for insurers, or provide a dedicated legal ground for the processing of special categories of personal data by the insurance industry.

Many insurers are active direct marketers, and the GDPR also introduces new restrictions on direct marketing. The most significant of these is that “opt-out” mechanisms, such as pre-ticked boxes, are no longer a valid method of obtaining consent from individuals. In addition, new restrictions on electronic direct marketing are expected to be introduced later in the year, when the European Parliament passes the new ePrivacy Regulation.

Insurers should have revised their existing privacy notices to comply with the GDPR. The GDPR includes a long list of details which must be notified to data subject at the time their personal data is collected.

Several of these details are new – for example, if personal data is being processed on the basis of the controller’s “legitimate interests”, the notice must indicate this and state what those legitimate interests are. To combat “notice fatigue”, the GDPR provides that notices must be in clear and plain language, concise, transparent and easily accessible.

The rights of individuals is another area in which the GDPR strengthens existing protections for personal data. The existing right for individuals to seek access to or correction of their personal data remains, but in addition individuals now have a series of new rights, many of which are not found in other jurisdictions. The individual must be informed of these rights in the controller’s privacy notice.

These rights include a right for the individual to request that their data be deleted (the so-called “right to be forgotten”), a right to object to processing, and a right to data portability.

The latter means that on request, a data controller must provide the data subject with a copy of their personal data in a structured, commonly used and machine readable format. This means that a policyholder could request a copy of all data that their insurer holds about them, so they can provide it to their new insurer.

More insurers are using artificial intelligence software to assess applications and to identify fraudulent claims. Insurers need to take additional care in the use of those technologies. Individuals must be informed about any automated decision-making processes in the insurer’s privacy notice. Individuals will also have the right to object to automated decision-making, meaning that the insurer must have a non-automated alternative.

Finally, international insurers should be aware that the GDPR has extraterritorial effect, and this may mean that it applies to some of their operations outside the European Union. Even insurers with no operations or presence in the EU are subject to the GDPR to the extent that they offer services to individuals located in the EU.

The GDPR is both a challenge and an opportunity for the insurance industry. GDPR has raised customer awareness of and expectations around the protection of personal data.

While it is to be hoped that this will increase demand for cyber insurance, it also means a significant compliance effort for insurers. The good news is that the increasing importance that customers place on data protection should mean that insurers who make the effort to put compliance measures in place should find that data protection becomes a key part of building trust with their customers.

By Nicholas Blackmore, Special Counsel, Kennedy