Businesses will be required to be transparent about the way they are using customer data and mandated to declare any cyber attacks and data breaches. Businesses will face fines of up to £17m or 4% of global turnover, whichever is greater, in the event they fail to notify the regulator of a breach within 72 hours. Breaches can range from sending client information via email without their consent to data-theft by hackers and ransomware attacks.
Significant concerns about the new regulation are being raised in the insurance industry and reports suggest many organisations have yet to begin to properly prepare for the new regulatory environment. Uncertainties around the implementation of the new law are causing a considerable degree of confusion and inertia. Meanwhile a sea of ‘GDPR experts’ are promoting their services using the ticking clock syndrome and fears of fines for non-compliance to encourage their take up.
Data is clearly fundamental to insurance businesses. Insurers hold a wealth of historic personal customer data which is used to assist in pricing risk, detecting fraud and improving the customer experience via customer profiling. Data is also being collected and analysed real-time, with eg. telematics data and App based insurance services. Big Data is being used to drive many insurtech propositions and there is a concern that limiting access to data will slow down innovation in the industry. There can be no doubt that under the new regime, insurers will face major changes in the way they collate, process and store the data they collect from customers.
The Fight Against Fraud
Data has long underpinned insurer fraud strategies and powered counter fraud controls. As well as interrogating their own data, insurers share data, to include via industry bodies and platforms such as the Claims and Underwriting Exchange [CUE], Insurance Fraud Bureau [IFB], and Insurance Fraud Register [IFR], for the purposes of preventing fraud. Under the new rules, companies will have to rigorously record and evidence how and why they are using and sharing data and there are fears that the advances made in data sharing as an industry will be undermined. Access to and analysis of collective industry data is crucial in the fight against fraud and in particular, organised fraud. There is still a great deal to be clarified about the rules and the implications of the GDPR in the way data can be shared compliantly for the purpose of fraud prevention and industry bodies are working with the ICO in an attempt to establish guidance.
A further key concern for insurers is the issue of consent and the customer’s ‘right to be forgotten’. Under the regulation customers can request information on how their data is being used and, in certain circumstances, request the erasure of that data.
The right to data erasure applies:
- where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed;
- when the individual withdraws consent;
- when the individual objects to the processing and there is no overriding legitimate interest for continuing the processing;
- the personal data was unlawfully processed;
- the personal data has to be erased in order to comply with a legal obligation.
A request for erasure can be rejected:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation, perform a public interest task or exercise official authority;
- for public health purposes;
- for archiving purposes in the public interest, for scientific research, historical research or statistical purposes;
- for the exercise or defence of legal claims.
Notwithstanding the questionable ability of many insurer legacy systems to identify, extract and delete specific data within compliant time frames; this requirement could pose a serious fraud risk. Potentially a customer could submit a fraudulent claim and then request for their data to be removed from the system, creating an opportunity for the submission of yet another fraudulent claim. The possibilities presented for serial fraudulent claimants are clearly worrying.
The ICO is seeking input from insurers to understand their concerns around some of the GDPR clauses specifically in relation to counter-fraud controls. Insurers may have grounds where they are allowed to hold certain data and the ABI is lobbying the government to pass legislation so insurers can effectively use fraud indicator data and criminal conviction data.
ID Verification
In the current climate of uncertainty as insurers risk assess and adapt their processes and as the post-GDPR operating environment unfolds; ID verification is a valuable tool available to support insurers. CRIF’s ID Check service is a robust identity verification and due diligence solution which calls upon an extensive collection of consumer information, including public data, to verify identity and analyse the risk associated with an individual. ID Check can provide a brief results summary and detailed granular risk assessment report with an easy-to-interpretting the corresponding score. ID Check can be used throughout the customer life cycle, at the point of quote, sale and claim; supporting insurers with accurate information about the subject in order to accurately price risk and identify fraud indicators.