Simon Hird is head of GI intermediary at Legal & General General Insurance
With the implementation date of the General Data Protection Review (GDPR) just around the corner, time is running out. Largely concerned with altering the way in which businesses process and hold data, it comes as no surprise that GDPR will pose a challenge to the insurance industry, which relies on personal data for underwriting and claims purposes.
To help get ready for the shift in data procedures, we’ve put together five key areas intermediaries need to keep in mind to navigate the incoming regulation:
Current practice allows for businesses to keep individuals’ data on record, unless they ask for their details to be removed. But, as much of the new business intermediaries do is generated from client information they already hold, it will undoubtedly come as a surprise when clients have to actively opt-in to allow them to store and use their data.
One way to avoid customer fallout is through clear communication as clients are unlikely to opt-in to something they don’t fully understand. GDPR offers intermediaries the opportunity to explain how these changes can benefit the customer, for example providing more personalised policies.
- Data storage
GDPR’s implementation is also likely to impact how intermediaries can generate new business, particularly since buying data lists and data collection have regularly been used as methods of approaching new clients. However, from the 25 May these common practices are likely to result in fines.
There are ways in which intermediaries can prepare themselves for the new regulations, including researching and defining their target market, as well as reviewing their current marketing strategy.
- Right to be forgotten
Also known as the ‘right to erasure,’ this phrase has been subject to a lot of column inches and is possibly one of the more daunting aspects of GDPR for the insurance industry since it is twofold. In addition to the restrictive data handling principles regarding how long data can be stored for and utilised, the regulation extends to the erasing systems of the technology itself.
The challenge for intermediaries will therefore be the need to ensure they have the adequate processes and technologies to delete customers’ data on request.
- No hiding places
What happens if there is a data breach? Currently, organisations are able to keep this information to themselves for an extended period of time, however this won’t be the case for much longer.
Intermediaries need to be aware that following the implementation of GDPR, The Data Protection Authorities local to those affected must be informed within 72 hours of the identification or confirmation of the breach.
- Price to pay
For those that choose to not comply with the new regulation, the consequences can be devastating. Currently, the largest fine a company faces in the UK for breaking the Data Protection Laws is £500,000. However, under GDPR these fines have the potential to be as high as €20m or up to four percent of a company’s global annual turnover.
With so much at risk, it’s essential that intermediaries focus their time on ensuring they are compliant with the new regulation and make any necessary changes to their current practices. For those that don’t, there will be a price to pay.