For agents, the European Union’s newest data privacy law calls for a renewed emphasis on security and protection of their clients’ information.
When the European Union’s General Data Protection Regulation (GDPR) went into effect on on May 25, nearly every consumer received a flurry of emails explaining the new law. While these ceaseless messages inspired plenty of jokes on social media, the implications for insurers and insurance agents are more serious now that they have to incorporate GDPR standards into their operations.
In essence, the GDPR shifts control over personal data usage from data collectors and processors — like insurance companies — to the individual whom that information concerns. Among other changes, a company must obtain the person’s explicit consent in order to use their personal data. These changes have an expanded jurisdictional footprint, too; the GDPR “applies to all companies processing the personal data of data subjects residing in the [European] Union, regardless of the company’s location.”
Under the law, insurers must report any data breach within 72 hours. A company that fails to comply with GDPR guidelines could be hit with a fine equalling as much as 4% of annual global revenues. Considering the fact that insurance companies and agents handle an enormous amount of personal data from clients — everything from driving history and health status to personal interests and educational information — the GDPR will radically alter how the industry draws up contracts and markets its services to the public. Accordingly, agents and insurers need to understand how this new regulation impacts client interactions and business operations.
What the GDPR Means for Insurers
Although the law just went into effect, experts in the insurance field have begun to speculate on what the long-term effects of the GDPR might be. Three areas in particular are projected to feel the greatest impact: underwriting, cyber insurance, and data transfer.
In assessing the wide-ranging ramifications of the GDPR, A.M. Best contends that new restrictions on the collection of and access to personal data could severely weaken underwriting quality. Instead of gathering individual information to more accurately pinpoint underwriting risk, insurers would instead turn to what A.M. Best termed “aggregated, anonymous data.”
2. Cyber Insurance
A report from AIG predicts a surge of cyber insurance claims following implementation of GDPR. Hackers will use the new law as leverage to extort more ransom from companies, according to Mark Camillo, Head of Cyber for EMEA at AIG. As the breach reporting mandate goes into effect, companies will likely report security compromises more often, which will increase the volume of cyber insurance claims.
3. Data Transfer
Since the GDPR allows individuals to transfer personal information from one insurer to another, insurance companies will have to learn how to comply with their requests. While that could increase the competitive landscape because policyholders will have the ability to easily change companies, it also means insurers must put systems in place to accommodate data from competitors. This development has the potential to swing the pendulum in the direction of tech-driven insurtechs, as major insurers will no longer have exclusive control to industry data.
What the GDPR Means for Insurance Agents
Much of the reaction to GDPR has centered on how insurers and reinsurers handle client data. Nevertheless, insurance agents will feel its effects as well. Since so many of your clients will have received a flood of emails and notifications regarding the ways companies are protecting their data, they’ll likely want to know what you’re doing as well — or what you think of the new set of regulations.
Of course, agents depend on personal data from clients and prospects to design effective strategies to cover their varied risks. As GDPR makes clear, it is now required to obtain permission from the subject before they can use the data. This consent needs to documented in an official form clearly stating that the individual approves the intended use of the information. However, the GDPR does permit exceptions to this rule: permission may not be needed if the data is used for a legitimate business purpose such as writing up an insurance contract.The reliance on big data by the global economy’s largest industries — insurance included — has only heightened concerns about information security. Accordingly, this sweeping set of regulations can be interpreted as a response to the public outcry for greater safeguards of personal data. For agents, this is an opportunity to have meaningful discussions with clients about where their information goes, how it benefits them to keep you informed, and what this means for their coverage in the future.