Enter your keyword

Are insurers and their claims functions adequately equipped for GDPR changes?

July 20, 2017
Posted by adjuno

Data protection law is getting a drastic overhaul by May 2018, of which the consequences of breaching new laws are huge. Possible fines could be as much as 4% of an insurer’s annual world-wide turnover, which could be catastrophic to profits.

Has the insurance industry has given thorough consideration as to how these new laws implicate the claims function and an insurer’s extended supply chain? The number of GDPR conferences, summits and seminars are almost catching up with InsurTech numbers, but we are still not seeing any questions being raised to address the blind spots within the claims supply chain and this is a real concern.

Many suppliers are often involved during the resolution of a claim and each of these parties will be accessing, using and storing personal consumer data. As an example, if an insurer, acts to resolve a severe leakage of water or fire claim, they frequently instruct a number of supplier partners to act on their behalf and carry out repairs or replacements. To do this, consumer data is shared and stored by a number of parties.

Fast-forward to May 2018 and the claimant subsequently invokes the ‘Right of Erasure’ of all their personal data with immediate effect.  At this point, how does the insurer reliably ensure that each of their suppliers have erased all the personal data – and who is ultimately responsible for this data – do insurers even keep a record of every supplier, or even fully understand what parties and systems hold or process data that was used to resolve each and every claim?

Moreover, what about industry databases? Can a policyholder or claimant use the ‘Right of Erasure’ to request that all their data be removed from databases such as The Claims and Underwriting Exchange (CUE), or from databases put in place by the likes of the Insurance Fraud Bureau (IFB)?

Another complicated topic is around quote comparison sites and the sharing of personal data. GDPR rules also state that “Where technically possible, a data subject also has a right to require that their personal data is transmitted directly between data controllers”. It’s not clear as to whether this means that a consumer can ask GoCompare.com to request ‘risk’ data from Confused.com, which makes it easier for a consumer to use multiple comparison sites without the hassle of re-keying personal information into different sites. Or, will this be a catalyst to the rise of a new type of virtual intermediary who, on behalf of a consumer, contacts various companies to request that the policyholder’s risk data be electronically transferred to the virtual broker? If the right to charge for that data request is being removed, could insurers be inundated with the sheer workload and cost of performing that task if they don’t have systems in place to automatically process them?

GDPR is undoubtedly a milestone moment in the world of data protection law and it’s still early days, where the landscape is still evolving. But as the deadline creeps ever closer, we think these are all important questions that need to be thought about for the insurance industry so there is still enough time to put solutions in place.

Categories | Date

Customer Success Stories