The tima has come: from May 25th, the GDPR, General Data Protection Regulation, European regulation on personal data protection no. 2016/679, enforced on May 24th 2016, will be directly applicable in all Member States.
The GDPR will apply to personal data processing carried out by a data controller or a data processor based in the European Union, as well as to personal data processing carried out by a data controller or data processor outside the European Union, where such processing involves the supply of goods or services or the monitoring of the conduct of data subjects located in the European Union. Therefore, insurance brokers or non-EU companies selling policies to EU citizens will be subject to the application of the GDPR.
Companies (of any size) have been given time to comply and will have to be ready by May: compliance with the GDPR will be stimulated by the introduction of rather severe penalties, fines are up to 20 million euros or 4% of turnover. Not being compliant is quite expensive, but not just that: the reputation of the company is at stake, along with consumer confidence, which cannot be ignored by an industry trust-based as insurance one.
Insurance has always been based on data collection, which today is either intrinsically digital or dematerialised (i.e. digitalised). Personal data, often sensitive, increasingly abundant thanks to new technologies for collection (such as smartphones or wearable, for example) and to the need of structuring and making them a leverage to keep up with today's market, which requires new products, slimmer and more personalized, on-demand policies, micropolicies, etc.
Therefore, the data protection challenge is quite clear to the insurance industry, but what is changing for insurance as the GDPR will be introduced? What about the insurtech?
Let's say that the GDPR concerns companies of all sizes, in fact, there are no exclusions by sector or corporate dimension from the applicability of the European Regulation apart from the processing register (art. 30 of the GDPR), what matters is whether the company, as data controller or data processor, deals with personal data of data subjects located in the EU.
Therefore, any requirement involving a large Company shall also be applicable to the emerging insurtech.
Many are the novelties introduced by GDPR, first of all the approach to the regulation that is no longer prescribed, i.e. does not set what must (or must not) be done to be compliant, rather it defines specific targets to be achieved to guarantee the protection of personal data, on which the regulation has been construed, through a series of steps and provisions driving the company through the adjustment process.
Furthermore, the GDPR introduced the concept of accountability of the data controller, which must be able to prove that the principles set out in Article 5 of the GDPR (lawfulness, correctness and transparency in data processing; limitation of the purposes of processing; minimisation and accuracy of the data processed; integrity and confidentiality as well as limitation about data retention), applied to all relevant fulfilments and obligations, have been complied with.
This approach is consistent with the introduction of the concept of "Privacy by Design and by default" ", pursuant to art. 25 of the GDPR, namely the respect and attention to potential future implications (privacy side) during the design of a new good/service that will be offered to the market. In this case, all appropriate technical and organisational measures (such as, for example, pseudonymisation, i.e. the principle whereby profiling information should be retained in a form that prevents user identification) may need to be implemented.
The concept of 'Privacy by default' means that data controllers must implement appropriate technical and organisational measures to ensure that only personal data necessary for a specific purpose will be processed.
Further key elements of the GDPR are:
Records of processing activities - In order to provide a detailed and complete overview of the processing operations carried out within the company, the record of data processing must be prepared, this document must be drawn up both when the company is the data controller and/or the data processor. Exclusion only applies to companies with less than 250 employees (such as startups), unless the processing carried out is likely to present a risk for the rights and freedoms of the data subject, the processing is not occasional or includes the processing of special categories of data (ex art. 9 para. 1 GDPR) or personal data relating to criminal convictions and crimes (ex art. 10 GDPR).
It must be drawn up taking into account the mandatory elements provided for by art. 30 of the GDPR, however, it may also contain other elements, such as the legal basis for the processing or an indication of the applications used. The list of the latter, in fact, could be useful for accurately mapping the security measures implemented / to be implemented, as well as to effectively perform the risk assessment.
While the startup has a small number of employees and is therefore not required to record the treatment, its arrangement can be a useful organizational and working tool, even to ensure compliance, within the individual startup, with the so-called accountability principle. According to the latter, the data controller is responsible for ensuring compliance with the principles applicable to the processing of personal data and must at the same time be able to prove it. Thus, although the keeping of the register is mandatory only for companies with more than 250 employees, or in some cases specifically provided for by the new legislation (mentioned above), it could still provide an effective evidential support for the data controller / processor, in view of the aforementioned requirement.
Data Protection Officer - The documentation to be used must be prepared/edited. For example, the information must be updated to include the additional elements provided for by the Regulation, while other documents, such as any deed of appointment of the Data Protection Officer, must be drawn up from scratch.
Security - Define security policies and carry out risk assessment. This phase includes the analysis of the technical and organizational measures to be adopted, taking into account the obligation imposed on the Data Controller to ensure and be able to prove that the processing is carried out in accordance with the GDPR ("accountability"). With respect to the previous legislation, there is no reference to minimum safety measures (regulated in Annex B of Legislative Decree no. 196/2003, so-called Privacy Code), but must be, in accordance with the GDPR, the appropriate technical and organizational measures to ensure a level of security suitable for the risk. By way of example, the European Regulation refers to the pseudonymisation and encryption of personal data. In this respect, it is useful to point out that security measures will have to be identified taking into account the current status and costs of their implementation, as well as the nature, subject matter, context and purpose of the processing, and the different likelihood and severity of the risk to the rights and freedoms of natural persons.
Data Breach - The burden on the Data Controller to notify the Guarantor of personal data breaches occurred ("Data Breach"), assumes that procedures are established within the company in this regard, suitable to detect any breaches occurred, taking into account that the same must be communicated without undue delay and, where possible, within 72 hours from the time when the data controller became aware of the said breach. As a result, the company is also able to generate adequate reports containing at least the minimum elements required by art. 33 para. 3 of the GDPR.
Impact assessment - It is essential that start-ups carry out an impact assessment on the protection of personal data as part of an effective process of compliance with new legislation. The same must be done in the cases specifically provided for in the Regulations, as well as in cases where processing operations to be considered "risky" are carried out. Since the GDPR does not specify which treatments should be considered "risky", the Data Controller will be responsible for carrying out a case-by-case assessment, also taking into account the practical indications provided for by WP29.
The GDPR clearly changes its perspective with respect to the regulations previously in force, no longer containing mere bureaucratic burdens, but, on the contrary, requiring to treat data protection as an integral part of all business processes.
Here is a document by DacBeachcroft there is a specific guide to the GDPR for insurance carrier.
The GDPR, as already outlined, introduces specific provisions on data security and the possible loss or theft of the latter. The growth of cyber attacks worldwide, which have become a real emergency, has also led the European Union to use this new regulation to enforce an organisational and even cultural transformation for all those companies dealing with personal data, which, thanks to users' data, are involved in business and are therefore primarily responsible for the security of such information.
Article 33 of the GDPR - Notification of a breach of personal data to the supervisory authority - known as Data Breach sets the burden on the Data Controller to notify the Guarantor of personal data breaches occurred ("Data Breach"), assumes that procedures are established within the company to detect any breaches occurred, taking into account that the same must be communicated without undue delay and, where possible, within 72 hours from the time when the data controller became aware of the said breach.
This obligation to notify, and the resulting disclosure, therefore jeopardises a company's reputation and involves costs.
Demand for 'cyber risk' and 'data breach' policies, able to mitigate the financial damage and support the company in managing the situation, is already growing. As early as 2016, the Insurance Information Institute foresaw that the premiums for cyber risk coverage would reach 7.5 billion by 2020. Munich Re said recently that premium volume in Europe is expected to increase from $300 million in 2016 to $900 million in 2018 - a 200% growth rate in two years.
Even in Italy, where transformation is well known to be slow, according to the most recent data from the Information Security & Privacy Osservatorio of the School of Management of Politecnico di Milano in 2017 the market for information security solutions in Italy, driven by the GDPR, reached 1 billion euros, an increase of 12% compared to 2016. The growth of the new insurance market for cyber risk was significant, embryonic but with significant growth potential. Today, there are a number of possibilities to cover the loss or disclosure of personal and sensitive data, the impairment of the information system and its service interruption, which may protect against damage caused to third parties or to the same company. 27% of companies subscribed an insurance policy in 2017, a number that is still limited but growing sharply compared to 15% in 2016, while 11% of companies still remain unaware of the existence of insurance against cyber risk.
The GDPR has challenged companies of all sizes to manage their processes and digitalisation, even those most reluctant to address the issue of information security, most of which don't seem to feel affected by the problem: not complying with the GDPR can be even more expensive, so it's better to do it and take shelter, applying the law and a policy is then a painless step. Adapting to the GDPR, having cyber risk coverage should be seen as investment, rather than a cost.
Even the startup community can play its game and in particular on the B2B side, selling to companies technologies for scoring, risk analysis, etc. One of these is the American Cyence, which after raising about 40 million venture capital has been acquired these days by Guidewire.
And there's more. The GDPR can also be seen by companies as an opportunity, for customer loyalty.
According to Capgemini Italia, consumers entrust their money and data to insurance companies and banks with a confidence based on the mistaken belief that institutions are 100% safe. While banks are evolving to counter sophisticated cybercrime threats, public awareness of the threats and the complexity of the challenges remains limited. Many still believe that banks and insurance companies are as unconquerable as fortresses. Not exactly this way.
“When the GDPR comes into effect and all breaches will likely be released shortly after they occur, many people will be surprised”, said Massimo Ippoliti, Data & Cloud Practice Leader at Capgemini Italia. “The introduction of the GDPR regulation represents an exceptional opportunity for banks and insurance companies to turn their business into digital fortresses that consumers already perceive as such.”.
The effort required of insurance by the GDPR will be well rewarded: beyond compliance, it will be a real boost to business.