What the GDPR means for the insurance industry

Published on

Thomas Leonardi

Follow Following Unfollow Thomas Leonardi

Sign in to follow this author

EVP, Government Affairs, Public Policy & Communications at AIG

The European Union (“EU”) General Data Protection Regulation (the “GDPR”), which came into full force on May 25, 2018, is the most comprehensive rewrite of privacy law in the modern era. The GDPR replaced outdated data protection legislation in Europe originally enacted in 1995. In 1995, the Internet existed, but in a very primitive form. Fast forward to the current age of Google, Facebook and the mass processing of personal data, and it is no wonder that the EU felt the need to update its legislation.

One of the stated purposes of the GDPR is to bridge a perceived gap between the European fundamental right to privacy, and the routine collection and use of personal data in our increasingly digitalized economy. It places more prescriptive requirements on organizations that process personal data, with an emphasis on accountability and evidencing compliance, while strengthening individuals’ rights. A significant change in powers for the relevant supervisory authorities means they are now able to impose material fines of up to €20,000,000 or 4% of annual worldwide revenue (whichever is the higher) for serious violations.

GDPR and Insurance

The GDPR is viewed by many as a model for updating privacy laws around the world. However, as we start to live with the GDPR and its effects, I believe it is essential for policymakers and regulators to appreciate that different industries and organizations use personal data for different purposes and in different ways.

For instance, insurers like AIG use data for very different purposes than social media companies, and for EU countries implementing GDPR (and countries around the world looking at GDPR as a possible model) it will be important for privacy laws to recognize and reflect those differences.

Insurance companies often need to process sensitive personal data to underwrite risks, and provide claims handling and other insurance related services. AIG, like other insurers, recognizes the importance of data protection when collecting personal data, as it is essential to maintaining the trust and confidence of its insureds. Since the GDPR was enacted in 2016, AIG has deployed a dedicated cross-functional stakeholder program to bring AIG in line with the GDPR and related local legislation.

While the GDPR is meant to harmonize a patchwork of data protection laws across Europe, the EU has delegated to member states the ability to define certain specific requirements (including the age at which children can consent to the processing of their personal data, the processing of criminal convictions data and data processing considered in the substantial public interest).

The UK has chosen to define specific requirements relating to the processing of personal data in the insurance industry, among other areas. The GDPR limits the permissible grounds for the processing of criminal records data, and what are called “special categories of personal data,” such as health data. Most commonly, explicit consent from an individual is required as a legal ground for processing such data. This makes sense in most cases – reasonable individuals would expect organizations to obtain their explicit consent to process sensitive types of personal data.

Requiring explicit consent in the insurance context presents challenges, however. The insurance industry often needs details of health and criminal conviction data to achieve risk-based pricing of premiums, underwrite policies effectively and process claims promptly for their customers.

Put simply, without this data we would not be able to underwrite risks effectively, and consequently the cost of insurance premiums would likely rise or insurers might not be able to provide coverage.

Consent is particularly challenging for insurers when it comes to claims handling as the GDPR provides that individuals have the right to withdraw the consent they had provided for the processing of their personal data. Special categories of personal data (such as health information) are often necessary for an insurer to appropriately process a claim (such as a claim under an employee liability policy). How can consent then be withdrawn by an individual if this results in the insurer needing to cancel the policy or not being able to pay the claims because the insurer is no longer able to process the necessary data? This is clearly a conundrum!

Recognizing the unique purposes for personal data processing in insurance, key insurance stakeholders in the UK worked closely with insurance organizations including the Association of British Insurers (ABI), the Lloyd’s Market Association (LMA), and the UK government, to establish the specific legal grounds, or legal justification, on which insurers can process data. According to this specific insurance processing ground, special categories of personal data and information on criminal convictions can be processed under UK law without consent where it is necessary for legitimate insurance purposes (such as underwriting, administering a policy and handling a claim) and is in the substantial public interest.

1. the availability of insurance; 2. risk-based pricing; 3. ability to detect and investigate fraudulent claims; and 4. efficient administration and payment of insurance claims, are all matters of substantial public interest. As a result, and subject to certain exemptions, the UK insurance industry has a clear and defined legal basis for processing certain special categories of personal data and criminal records information where it is necessary for underwriting or claims handling.

Rhiannon Webster, a partner at DAC Beachcroft who worked with the LMA and ABI in achieving this derogation, explained:

” When considering the insurance processing ground, Parliament recognized that:

GDPR as a Model

We are now waiting to see whether the UK is paving the way for the insurance industry and whether any other member states will follow suit. For example, the Netherlands is considering legislation to address the processing of personal data by insurance companies. Ireland also has legislated for a specific insurance processing ground (although it is limited to the processing of personal data relating to health).

Most EU member states have only just finalized their local legislation and some versions are still in draft. At AIG, we continue to work within the existing GDPR framework and supplemental local legislation where it applies. It is safe to say that the GDPR has a long tail and we at AIG, along with the rest of the insurance industry, will be working hard on its compliance program for years to come.

AIG believes that privacy laws should be updated to address how our personal data is used in this modern age of social media, smartphone apps, and “big data.” That said, all organizations do not use personal data in the same way or for the same purposes. AIG and other insurers process personal data for very different reasons than social media companies. As other countries look to the GDPR when updating their privacy laws, they should recognize that a “one size fits all” approach to privacy regulation may not be the best approach. As the UK has done, and as other EU member states are considering, policyholders and regulators should recognize the legitimate and important societal purposes for which insurers process data.