The legislative pressure on insurers continues apace. The Insurance Act 2015 introduced the most profound changes to English insurance law for at least a century. It was followed almost immediately by the Enterprise Act 2016 which gave an insured the right to claim damages in the event of the late payment of its claim. No sooner had insurers adjusted to these changes, however, than they must wrestle with what is potentially an even more profound legislative change in the form of the General Data Protection Regulation or GDPR.
The GDPR is due to come into force in May 2018 and introduces new rules for the control and processing of personal data. The penalties for breach of these rules are potentially severe and may be as much as 4% of global turnover or €20 million, whichever the greater. The changes introduced by the GDPR will have a profound effect on how insurers handle personal data, not only in underwriting risks and handling claims but also when using data for the purposes of analysis. Issues will arise as to the uses to which a piece of data may be put, how long it can be stored and how it should be kept (if at all). Indeed, so profound is the potential impact of the GDPR on insurers that the LMA and IUA are lobbying the Government for exemptions from the Regulation for the insurance industry.
It would be a mistake to think that the consequences of the new laws will be felt only by underwriters of personal lines business. Rather, GDPR will affect everyone in the underwriting chain including the insurer, reinsurers, brokers, coverholders, claims managers, loss adjusters and even document disposal organisations. The impact of the GDPR will not only be felt in Europe; companies anywhere in the world which control or process the personal data of European citizens need to start adjusting to the new Regulation immediately.
It would be a mistake too to think that Brexit will mean that the Regulation will not be applied in the United Kingdom. The GDPR will come into force in the UK at least a year prior to Brexit and all the signs are that the UK Government will retain the Regulation or very similar rules in place after Brexit. In any event, any insurer hoping to do business involving European citizens will have to comply with the Regulation come what may.
While not as spectacular as the changes introduced by the Insurance Act and Enterprise Act, the impact of the GDPR on the day-to-day operation of all organisations operating in the insurance industry may be even more profound.