Is the insurance industry ready for GDPR?


By the nature of its business, the insurance sector collects and has access to a large amount of personal data.

(Re)insurers and their service providers (including third party administrators) routinely hold and process significant amounts of data relating to their insureds.

The complex global nature of the industry and high level of personal data processed and exchanged, often across national borders, can leave information vulnerable to security breaches, intentional or otherwise. Many insurance products require personal data to be processed whether in connection with the underwriting process or at the time that a claim is made. This is particularly the case in personal lines business such as travel and home insurance.

Implementing effective data protection controls into daily operating procedures is a huge challenge. When the EU General Data Protection Regulation and UK’s Data Protection Act 2018 come into force on 25 May 2018, however, businesses ignore it at their peril, as non-compliance can result in large fines (up to €20,000,000 or 4% of annual turnover) and reputational damage. There are also commercial benefits to effective compliance: companies which protect the privacy of their (re) insureds and business associates are more likely to attract and retain business and staff.

The GDPR will apply not only to businesses based in the EEA but also to data processing carried out by companies outside the EEA if they have an office within the EEA or offer goods or services in the EEA to individuals based there.

Our factsheet available here sets out the issues you need to consider and how you can action them and demonstrate compliance.

Simon Cooper
Mehmet Achik-El