Significant concerns about the new regulation are being raised in the insurance industry and organisations have yet to begin to properly prepare for the new regulatory environment.
Data has long underpinned insurer fraud strategies and powered counter fraud controls. As well as interrogating their own data, insurers share data, to include via industry bodies and platforms such as the Claims and Underwriting Exchange [CUE], Insurance Fraud Bureau [IFB], Insurance Fraud Register [IFR], for the purposes of preventing fraud.
Under the new rules companies will have to rigorously record and evidence how and why they are using and sharing data and there are fears that the advances made in data sharing as an industry will be undermined. Access to and analysis of collective industry data is crucial in the fight against fraud and in particular, organised fraud.
There is still a great deal to be clarified about the rules and the implications of the GDPR in the way data can be shared compliantly for the purpose of fraud prevention and industry bodies are working with the ICO in an attempt to establish guidance.
A further key concern for insurers is the issue of consent and the customer’s ‘right to be forgotten’.
Under the regulation customers can request information on how their data is being used and, in certain circumstances, request the erasure of that data.
The right to data erasure applies:
- where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed;
- when the individual withdraws consent;
- when the individual objects to the processing and there is no overriding legitimate interest for continuing the processing;
- the personal data was unlawfully processed;
- the personal data has to be erased in order to comply with a legal obligation.