Bringing out the big guns
GDPR is a powerful weapon in the EU’s consumer protection armoury, but this latest barrage of compliance has positives as well as challenges for the (re)insurance industry
If data is the new battleground in regulators’ long war to curb corporate excess the General Data Protection Regulation (GDPR) is the big gun in the EU’s armoury.
The rules, which come into force from 25 May this year, will usher in a range of obligations for companies collecting EU residents’ ‘personal data’ – a widely-drawn concept that can include policyholder numbers, IP addresses and even some pseudonymised information.
The system is underpinned by vastly increased fines of the greater of either up to 4% of global turnover, or EUR20mn ($28.1mn) for companies breaking the rules. The maximum under existing UK legislation is £500,000 ($614,871).
Among other changes is an obligation for companies to report data breaches within 72 hours while data subjects will have the right to receive the information held on them free of charge within 30 days. The framework also imposes legal obligations on data processors – those processing information on behalf of a controller – for the first time.
Europe-wide, companies are overhauling the data they hold, how it is stored and how it can be retrieved and deleted. They are undertaking sweeping internal training programmes and supplier outreach and reviewing their own human resources systems. But the (re)insurance sector is bracing for specific challenges, from the pricing of risk to the handling of claims. And it’s not just a personal lines issue.
Graeme Tennyson, who is risk and compliance director at Aegis London, notes that: “London market firms will inevitably be handling ‘special categories of personal data’ in the normal course of business and people will have to take stock of where that data is coming from and what uses it is put to. Even with the new ‘insurance purposes’ derogation GDPR still gives insurers some pretty onerous tasks to contend with.”
The derogation under the UK incarnation of the EU regulation represents what is effectively a waiver of consent requirements if data is being collected for ‘insurance purposes’. At the time of writing, the UK Data Protection Bill is still making its way through parliament, but assuming the amendment sticks, it will save the industry considerable heartache. Without it, companies collecting so-called ‘special category’ data, such as sensitive information about health, political allegiances or criminal convictions, would find it both time consuming and expensive to collect consent through a chain which is typically several steps away from the end consumer.
The Lloyd’s Market Association (LMA)’s legal and compliance director, Kees van der Klugt, says: “That sort of operational construct would make it more difficult for the market to provide a good choice of products at competitive prices.”
The possibility of policyholders withdrawing consent could also jeopardise carriers’ ability to fulfil contracts.
Across the EU, local derogations will only be applicable for data controlled – or processed – within that particular member state.
In other EU countries the legal basis insurers will use for handling data will vary, with a patchwork of derogations emerging as the regulation is transposed into local law.
Insurers are looking to the EU’s Article 29 Working Group, which oversees national data protection authorities, for guidelines on working within the new rules.
Managing data flow
GDPR compliance will be tough for all businesses, although the specialty insurance and reinsurance sectors face specific challenges.
One is the movement of data, often across borders, through the numerous parties involved in any given contract. This is likely to involve, as a minimum: brokers, several firms of insurers, reinsurers and third-party administrators (TPAs) – and where coverholders and sub-coverholders are involved the chain becomes even more complicated.
One senior TPA executive notes: “In a syndicated market information flows all over the place, and all in different ways, both in paper form and electronically through email. That puts on a lot of pressure if you are making sure you are managing personal data sensitively and meeting all the requirements sensibly.”
The global flow of data, including through regimes with their own data protection rules, means the sector needs to be careful to comply with local regulations as well as EU ones.
And even within the EU, in the context of the UK’s departure from the eu, the country’s future ability to receive data from the rest of the trading bloc is not cut and dried – despite the fact that the UK government is enthusiastically adopting GDPR.
The situation mirrors the debate over whether the EU will recognise UK financial regulation as ‘equivalent’. In the case of GDPR, ‘adequacy’ is the buzzword.
In a January notice to stakeholders the European Commission (EC) confirmed that UK adequacy for EU data protection law purposes is not a given, but is instead a matter for decision by the EC.
Businesses may therefore have to rely on other legal bases for keeping data flowing across borders. As Hogan Lovells lawyer Clare Douglas says: “It would make things considerably more difficult, but if adequacy is not addressed companies would be able to find alternatives.”
The flow of data from the UK to the remaining members of the EU should, at least, be straightforward, Douglas notes. The UK Information Commissioner’s Office (ICO) has already said that no binding corporate rules – which provide for the transfer of data within corporate groups – will be cancelled because of Brexit.
Controllers and processors
The syndicated nature of the specialty insurance market also raises the prospect of disputes if one carrier causes a data breach. Disputes could be exacerbated if insurers are grouped as ‘joint controllers’.
Steve Morrell, the LMA’s head of regulatory affairs, notes: “The regulatory requirements placed on data controllers are significant, so it is important for insurance market participants to agree whether they act as data controllers or data processors, the latter processing data on behalf of the former. Our view is that usually brokers, coverholders and insurers will be controllers in their own right, with clear responsibilities to consumers.”
The LMA believes that designating such parties as controllers separately – rather than as joint controllers – will reduce the prospect of disputes. The LMA has spent a lot of time overhauling model wordings for terms of business agreements (Tobas), binding authorities, third-party administrator agreements and consortium agreements to respond to the new framework.
But the regulation certainly provides fertile ground for disagreements between different parties in the insurance chain if things go wrong.
Companies are frenziedly revising contracts to allow for indemnification by business partners and suppliers against fines or claims from third parties and Tobas between brokers and managing agents are swelling.
TPAs and MGAs
The TPA executive notes that under GDPR TPAs are facing the prospect of having to accept unlimited liability on contracts that could potentially be in the low tens of thousands of pounds.
Keoghs partner Andrew Schütte notes: “This is a new area for people and as a result the discussions are not always well-informed. There are all sorts of potential liabilities out there. The question of how you allocate them commercially is playing out right now and will play out over next few months. This will be the case all the way down the chain from policyholders to brokers and coverholders, to insurers and reinsurers, and to the service providers to the insurance industry and their professional indemnity insurers.”
Aegis London’s Tennyson adds: “Where you are using third parties, firms need to satisfy themselves that these have appropriate controls in place to deal with data and appropriate insurance to deal with any liabilities.”
If TPAs are feeling the pressure, managing general agents (MGAs) are also in a difficult situation.
One MGA executive points to a grey area in MGAs’ rights to access claims data, if this is being handled by a TPA appointed by the capacity provider, even when the MGA has delegated claims authority.
He says: “A lot of thought seems to have been given to brokers accessing the market and third-party administrator agreements but a lot of sensitive data comes at the claims stage. Claims that come in can be quite memorable, and at a lot of insurance companies it would not be unheard of for anyone to come and open a claims file.”
Like TPAs, MGAs also report that there are routine attempts to pass the buck between capacity providers and MGAs, with the latter generally advised to push back.
Other particular challenges for MGAs include compiling client lists, particularly for those dealing with smaller intermediaries which use personal email.
Reinsurers have their own issues with the new rules. Unipol Re chief risk officer Michael Doyle is concerned that reinsurance sector access could be curtailed to the data it needs from cedants to price risk properly.
The first major test of this will come at next year’s 1 January reinsurance renewals. However, anecdotal evidence from Germany, where privacy law is notoriously stringent, suggests brokers are already pre-emptively redacting more information than necessary. The International Underwriting Association (IUA) is concerned carriers could inadvertently breach sanctions if personal identities are masked.
As for the reinsurance renewals, Doyle says: “I don’t want anything we don’t need. It’s nice to have some names but there are certain things you definitely do need – like the location of the risk and the age of the person. If people get overzealous with their redacting, that can cause problems.”
Because of their distance from the end consumer, reinsurers also need to make particularly sure their data mapping and retrieval systems are up to scratch, adds Doyle.
“If an insurer came to you and said, ‘We have these 10 people who want to be forgotten’, you have to respond very quickly and make sure you can change it at any given time.”
The (re)insurance sector is also grappling with how to monitor sensitive data coming in, and how to determine what personal information being transferred is relevant.
Carriers will also need to work out what to do with legacy data, including historic emails. And those companies and TPAs which record voice data may need to make hefty investments – if they haven’t already – in systems that allow them to retrieve it better.
The insurance industry may also need to keep personal data for longer for than the seven years advised – and be able to justify that.
Dealing with the ICO
For many London market carriers the lead data protection supervisory authority will be the ICO, which is currently busy taking on Facebook and Cambridge Analytica.
The ICO is led by Information Commissioner Elizabeth Denham, who has ruled out a GDPR lead-in period, but she has suggested the ICO will look kindly on those businesses that cooperate with the regulator when an issue arises.
Denham has also promised enforcement as a last resort, declaring it will be “proportionate” and that she prefers the carrot to the stick. But recent cases suggest the ICO means business.
In January it fined Kent loss-adjusting firm Woodgate and Clark £50,000 for unlawfully disclosing personal data which the ICO found had been obtained illegally by senior employees and what it called “rogue private investigators”. A director and a senior executive at Woodgate also received record financial penalties, along with the private investigators.
The case dated back to 2013 and centred on banking data about the policyholder, illegally obtained by the private investigators.
At the time the ICO noted that the case was part of an ongoing ICO investigation into allegations of a criminal trade in confidential personal information involving corporate clients suspected of using the services of rogue private investigators.
The ICO also pursued Hiscox at Southwark Crown Court for allegedly attempting to force a policyholder to furnish them with his criminal record before it would pay a claim for a £30,000 watch. However, Hiscox, which had denied the charges, was cleared when the policyholder – the ICO’s key witness – fell ill and the jury was discharged.
The ICO is offering free voluntary audits of data systems and is a developing a sandbox for companies to test their processes. It is also staffing up, and has government clearance to increase employee numbers from about 490 at present to 600 by 2021.
However, it is not only ICO fines people are worried about; GDPR is also seen as providing a lever for individual and class action lawsuits regarding the misuse of data.
A January 2014 ruling in a case known as Vidal-Hall vs Google established a precedent for pay-outs to compensate for distress even where there is no financial loss arising from the mishandling of data.
The IUA is concerned that several provisions within GDPR could encourage spurious litigation by data subjects, or by law firms acting on their behalf that spring up to take advantage of the new rules. The very fact that data subjects have a new right to access their data for free could encourage litigation ‘fishing trips’, the organisation fears.
But where there is new risk, there is new opportunity for insurers. Whether it is legal to insure against fines is a legal grey area and varies from jurisdiction to jurisdiction, with the practice outlawed in Italy.
The stock caveat is that a risk is insured ‘to the extent that it is insurable by law’ and in practice there is a large swathe of grey between routine inquiries that are part of normal business operations and, say, a fraud investigation.
The UK Government’s Department of Media, Culture and Sport has indicated to underwriting representatives that it sees nothing in the legislation that suggests fines under GDPR are not insurable. But at the same time, it has also noted that the fines are meant to deter companies and individuals from bad practice.
Reasons to be cheerful?
The broader cyber insurance class is likely to gain a fillip from the new rules, and demand will probably increase for directors’ and officers’ insurance and other liability policies. But at the same time, insurers’ exposure under these types of cover will rise. And, as with any cyber-related product, the extent of their exposure is by no means obvious.
A less equivocal positive of the legislation is that GDPR has a good chance of becoming the gold standard for data protection rules worldwide and carriers complying with the European regulation will be well placed for rules in other jurisdictions, says Fifth Step CEO Darren Wray.
Roughly 30 countries have fully developed data regulation, with varying requirements regarding breach notification, the obligation to have a data protection officer or a chief information security officer, and the cross-border movement of data.
GDPR also comes hot on the heels of the New York Department of Financial Services’ Cybersecurity Regulation.
Wray, the author of The Little Book of GDPR, says the ideal situation is for companies be able to use a common control framework to ensure global compliance with data rules.
“It’s possible to share a great deal of those controls between GDPR and regulatory requirements around the world, and the EU recognises about a dozen jurisdictions as providing adequate protection [for consumers’ data].”
Wray advises those considering entering the EU market to take on board the new regional rules well in advance. He also warns insurers against thinking that advanced preparations for GDPR means the job of compliance is done.
“You’re going to need to have a continual improvement approach to this,” he says.
This article was first published in the Spring 2018 issue of Insider Quarterly