Say goodbye to profiling

Consumers will now be able to contest decisions you make about them based on automated processing1.

In fact, unless you’ve specifically entered into a contract with them to do so, you usually won’t be allowed to profile them at all.

Insurers have come to rely more and more on data in recent years to identify homogenous risk pools.
But GDPR’s consent requirements are likely to make doing this harder and harder in the future. Individual health data in particular may now be off the table.

Fraud detection may get harder

Insurance providers’ reliance on data to detect fraud may be hampered by GDPR’s consent requirements.

Pricing is about to get dicey

If you’re excited by the potential of telematics to let you price policies more finely, you’re in for a disappointment. According to PwC, GDPR may severely limit the uses of telematics data without explicit consent. Monetising it may even become impossible2.

Premiums (and payouts) are going to go up.

Disclosure now represents a much larger burden in some countries following a breach. There’s a 72-hour clock for a company to report breaches to their Supervisory Authority. Not to mention any affected customers.

Which means you’ll probably pay out much more towards setting up disclosure centres when these breaches happen.

Start demanding much more from your policyholders when it comes to security procedures. They should at the very least have breach detection and response protocols in place, alongside solid Data Loss Prevention (DLP) policies.

You should expect them to be able to give you a full rundown of their compliance in terms of both policy and systems. (This won’t represent much of a burden for them – if they regularly process data, they’ll have to demonstrate this to their DPO anyway).

Be aware of the exact compliance standards

Because your policyholders might not be. As many as 20% of IT leaders in the UK were unaware GDPR even existed in 2016.

That means that come 2018, they might be committing a violation of their insurance terms as well as of GDPR. You should expect a full rundown of the procedures and systems your clients are using.

Everything that applies to your customers applies to you

You’ll need to follow the same approaches and protocols as any other large organisation managing personal data on a large scale.

External sources

Thank you to all of the external sources below in helping to put this research together

1. GDPR Article 22

2. PWC, Standing out for the right reasons: Getting insurers ready for the GDPR, May 2016

GDPR & The Insurance Sector