Big Data means big challenges – and opportunities
The era of Big Data means insurers must balance the benefits with increasing responsibility. The burden of responsibility will undoubtedly increase…
The era of Big Data means insurers must balance the benefits with increasing responsibility. The burden of responsibility will undoubtedly increase with the introduction of General Data Protection Regulation (GDPR). Sean Crotty discusses the key issues.
Big Data is driving profound and wide-ranging changes across the insurance industry, making business more efficient for insurers who must deal with massive volumes of data – and at the same time presenting major challenges.
For example, Big Data can potentially help with the cost of certain premiums, while certain databases that we advise upon – such as CUE (Claims and Underwriting Exchange) – enable the insurance industry to operate much more efficiently.
Yet, despite the commercial value that derives from holding and using large quantities of data, significant risks must be carefully managed in relation to processing personal data.
GDPR will come into effect in May 2018, bringing (amongst other things) substantially increased fines of €20 million (approximately £17 million), or four per cent of annual global turnover for certain contraventions. GDPR should not be taken lightly!
In addition to these swingeing financial penalties, enhanced data subject rights mean potential regulatory pitfalls. For example, the right to easily withdraw consent for processing represents a major concern in terms of how it will affect conditions for processing by insurers.
Insurers should also prepare for other data subject rights which will be introduced by the GDPR, including the right of erasure (also called the 'right to be forgotten'), together with the right to data portability and, in certain circumstances, the right to object to automated decisions or profiling – a major risk in relation to Big Data.
We currently await the final draft of the Data Protection Bill, so it's a question of watching this space in relation to its impact upon the insurance industry. However, it is clear that the final versions will have major implications for the use of personal data by the UK insurance industry.
Although many see the GDPR as a burden because of increased fines, statutory timetables for breach notification, increased data subject rights and, importantly, reputational damage, GDPR is also a golden opportunity to get your house in order and ensure that you are using data correctly.
Surprisingly, under the Data Protection Act 1998, many organisations have been operating on 'a wing and a prayer' when it comes to data protection compliance. GDPR is a healthy wake-up call that will force insurers to process data correctly.
Moreover, you can mitigate the risks through ensuring compliance – for example carrying out privacy impact assessments (if required) and recording your data processing operations correctly – so that you don't fall foul of the stricter regulatory regime.
It's important to keep in mind that GDPR relates to personal data – data that allows a living individual to be identified – and not necessarily all Big Data, which by its nature is often anonymised. However, if the data being processed isn't personal data, although the GDPR may not have a major impact, such data should be protected as an important asset of the business.
When determining whether or not data is personal data, it should be noted that care must be taken as this is not always obvious. For example, if personal data is anonymised at a later date, it has been personal data at an earlier stage, and therefore the GDPR will apply at some point.
Many insurance databases will consist of personal data because – with the exception of purely statistical information – that's what benefits the insurance industry!
So, while GDPR undoubtedly represents major challenges to the insurance industry, the new regime should be embraced as an opportunity to improve risk management procedures and make data processing operations more efficient. If you haven't commenced your GDPR preparations yet, there is no time like the present.
GDPR is also a golden opportunity to get your house in order and ensure that you are using data correctly.