< Regulars | 08.05.2018

It’s coming, ready or not

It’s coming, ready or not

On May 25, the General Data Protection Regulation comes into force and is set to impact the insurance industry hugely. We take a look at how to prepare

The European’ Union’s General Data Protection Regulation (GDPR) comes into effect on 25 May, whether the insurance industry is ready or not. The scope of the regulation is not only Europe-wide – it also impacts all companies that do business with a European entity.

Despite this, various reports suggest the world is far from ready – with some suggesting that, even within Europe, about 75% of business have yet to prepare.

Is the insurance industry any different and how can companies help themselves?

Lawyers at Clyde & Co warn: “While some companies within the insurance sector have made good progress towards GDPR compliance, we know there are large parts of the industry that have not made adequate plans for compliance.” However, they also believe it is never too late to start a GDPR compliance project.

Mike Steeds, operations director at Prescott Jones, agrees: “The introduction of the GDPR is going to have a significant impact on the insurance industry.

“The biggest effect is going to be on how the industry deals with the processing of sensitive personal data, where there are specific issues. Many insurance products and policies rely on personal data being provided for arranging and underwriting purposes and for when claims arise.”


  • Data breach deadlines: Insurers will have just 72 hours to disclose a personal data breach to the regulators and possibly to the affected individuals.
  • Better quality consents required: Insurers will have to meet tougher quality requirements for legal consent, if they want to rely on consent to process personal data. Customers must give that consent freely and on the basis they have been fully informed about the nature of each type of usage. The insurer will have to prove that they have obtained consent of the right quality.
  • Privacy by design: Insurers will be required to minimise the collection and use of personal data and will be expected to do this automatically as they design new products and services.
  • New fines and penalties: Regulators will have the power to fine insurers up to €20m or 4% of worldwide annual turnover (whichever is higher) for the most serious breaches.
  • Processing now at risk: Customers will have the right to object to having data on them used for insurance activities such as risk and pricing modelling, unless the insurer has compelling and legitimate reasons. Customers have the right to object to data processing for direct marketing.
  • Profiling gets tougher: Insurers will not usually be allowed to make decisions about customers purely on the basis of automated processing, including profiling, unless they have established a legal right to do so, which will generally be contract-based.
  • New right to be forgotten: Customers will be entitled to ask insurers to delete their personal data where it is no longer required for its original purpose, or where they have withdrawn their consent.
  • Portability guaranteed: Customers will be entitled to request that their personal data is transferred from one insurer to another as they switch companies. Insurers will be obliged to facilitate this.
  • International data transfers: While EU data transfer rules are not fundamentally altered, there will be enhanced regulation of the mechanisms put in place to ensure that personal data is properly protected when abroad.
  • Data protection officers (DPOs): PwC considers that DPOs are required as a matter of good governance in all cases.


Insurers must initially assess where GDPR sits within their risk appetite and look at the opportunity it could pose, suggests PwC. They will also need to carry out an assessment of their current state as it relates to the new regulation.

A risk-based approach considers the specific characteristics of an organisation (such as the type of personal data, the nature of the customer interaction, geographic operations) and places those elements alongside the gaps and the risk appetite.

Following the assessment and prioritisation phases, organisations may need to:


The urgent priority for insurers is to identify exactly what data they already have, how and where this information is stored.

Key is understanding what consents and permissions have been obtained. Where those consents are lacking or insufficiently explicit under the GDPR, it may be necessary to contact customers to obtain the right permissions.

At the end of this, insurers should:

  • Understand what data is held, where it is and who has access;
  • Have a clear view of any additional risks posed by third-party access to data;
  • Be sure that data is being used only in ways that customers have consented to.


Claims: Insurers are already using data and analytics tools in the battle to reduce fraud and there are further opportunities; might social media provide valuable evidence of fraudulent claims, for example? However, the new regulation on the consent required for data processing may pose a threat to this.

Pricing: Insurers are excited by the potential of telematics to help them price policies on a much more bespoke basis. The new regulation will limit how telematics data can be used without consent – it will certainly become much harder to monetise this information.

Underwriting: Rich data enables insurers to identify smaller and smaller homogenous pools of risk, particularly by bringing in non-traditional insurance data such as customers’ credit histories and health records – and even data from geolocation tools. The extent to which customers will give their consent for such data under the GDPR is unknown. Valuable health data may be a particularly knotty issue.

Marketing: Marketing is increasingly dependent on highly sophisticated data and analytics tools, capable of delivering personalised messages to customers. It may become a lot harder for insurance marketers post-2018, as the GDPR affords customers the right to object to the use of personal data for direct marketing. And where international insurance groups seek to share information across the company for cross-selling purposes, the new restrictions on data transfers may be problematic.

In each of these functions, and across the business, insurers will need to evaluate whether what they currently do – and what they hope to do in the future – is acceptable under the GDPR. This will determine whether new consents and disclosures are required, or whether certain activities will simply be off-limits.

At the end of this second stage, suggests PwC, insurers should:

  • Have an organisational view of what data privacy means to the whole business;
  • Routinely be incorporating data protection and privacy issues into overall business strategy;
  • Be confident that their systems and processes are agile enough to facilitate innovation;
  • Be ready for further change as the regulatory environment evolves.


The Chartered Insurance Institute (CII) has to prepare for GDPR in the same way as insurance companies and brokers, so what has it been doing?

Liam Russell, legal director and general counsel at the CII, explains that the CII firstly established a working group to consider and implement the CII’s GDPR compliance strategy. “The key thing,” he stresses, “is that compliance is not seen as simply an IT task but is an operational matter affecting the whole organisation.”

For the first stage, the working group spent time on completing a data-mapping exercise to establish what data was held, where it is held, by whom, for what purpose, for how long, who else has access and why?

He suggests:

  • A good way to map your data is to send a questionnaire out to senior execs to get completed by their respective departments;
  • The second part is to get the completed questionnaires scrutinised by someone with data protection/GDPR knowledge eg business analyst, lawyer to consider if further information is required;
  • Follow this up with a departmental visit to verify answers on questionnaire and check how things work on the ground e.g. files in the corner, storage in cupboards etc. For contracts
  • Consider how you have historically dealt with DPA issues in contracts as reliance on a ‘compliance with all applicable laws’ clause will not be sufficient;
  • There are now prescribed contractual clauses outlining basis of processing, who is responsible for what, why, for how long etc;
  • Consider indemnities for breaches and how requests for right of erasure/correction can be communicated.


  • The CII has appointed a third-party service provider to do this.


Training is recommended for all staff (high level) on what GDPR is and how this may affect them (slightly tailor to departments).


  • You will need executive support and buy-in. It is a good way of ensuring that you get your house in order.
  • It is a good time to review your privacy statement; membership/customer declarations and terms and conditions; retention policies.
  • Seek to move away from consent- other modes of lawful processing- compliance with contract, legitimate interests.
  • The CII has developed compulsory and non-compulsory communications, such as an AGM notice (compulsory) and marketing material (not compulsory).


Related articles

Leading from the front

Leading from the front

Increasing regulation, the GDPR and Brexit are all putting directors at higher risk of investigation than ever before. Sam Barrett explains why cover is essential.

It’s time we measured ‘trust’

It’s time we measured ‘trust’

The new Public Trust Index from the CII examines how trust in insurance can be measured for the benefit of members and the wider public.

The danger increases

The danger increases

Liz Booth examines two recent incidents that have raised the stakes on cybersecurity.