In 2017, global business AXA suffered the unthinkable — a cyber attack against their health portal in Singapore, leaking the personal data of thousands of insurance customers. Thankfully, the data was limited to name, contact details and date of birth, but nobody could be blamed for beginning to shop around, while cyber security experts warned that those affected could still be at risk of sophisticated, targeted phishing attempts.
London-based international law firm Clyde & Co warned in December that it believed the insurance industry was ill-prepared to face the challenges of GDPR compliance in the run-up to 25th May, which they called “the biggest change in data protection laws in more than a generation”.
Insurance is, of course, primarily concerned with risk, which is a keyword of the new legislation. To what degree and in what way are you placing your customers by simply going about your daily business while collecting, storing and utilising their personal data? Questions must be asked — and answered — at every turn and in every part of the business.
Insurers are unavoidably responsible for holding detailed records about their customers, making use of sophisticated mathematical formulae and computer algorithms to reach decisions about the cover they can be provided with. In an industry like this, the ‘risk appetite’ is high, with an inherent sense of trust in themselves and their tried-and-tested processes.
But the General Data Protection Regulation is virgin territory, and there is no leniency when it comes to complacency, with fines of up to 4% of worldwide annual turnover threatening even the largest businesses with heavy losses in the event of noncompliance. A breach like we saw in Singapore would not be treated lightly under the new European regime.
Thankfully, resources abound and the privacy industry is increasingly well-prepared to assist complex, high-risk organisations like insurance companies to meet their initial and ongoing need for strict compliance with data protection and privacy law, across national borders.
Nearly all insurance companies have a mandated requirement for a Data Protection Officer (DPO) to carry out responsibilities under the GDPR. Companies like Privada offer service contracts so the role can be outsourced in favour of hiring an individual DPO at a time when recruitment pools are drying up and expected salaries rising.