Beginning May 25, any company from any country that collects, stores, or transmits data on citizens of European Union countries will be subject to the EU’s strict new data privacy directive known as the General Data Protection Regulation (GDPR). Regulators and insurers are still figuring out how it will affect them.

A panel of state insurance regulators at the April 24-26 2018 Global Insurance Symposium in Des Moines, Iowa wouldn’t speculate about when such restrictions could come to the United States.

At the same time, the panel acknowledged that some aspects of GDPR overlapped with the cybersecurity standards imposed on insurers and other financial services companies by the New York Department of Financial Services. Future U.S./state regulation on this issue remains murky, however.

“We have to determine who owns the data first,” said Eric Cioppa, superintendent of insurance in Maine. “In Europe, they’ve made the determination that the consumers own their data.”

As a practical matter, personal data in the U.S. is effectively owned by the company that collected it, he suggested.

“With telematics,” he said, “if you switch insurers, you don’t bring your driving data to another company and say ‘Underwrite me now based on the telematics from my prior carrier.’

“Until we resolve that issue, I don’t see us going in [Europe’s] direction.”

EU Data Protection Law Has Long Reach

Even on its own, the GDPR’s reach is long, said Mark Bloom, chief technology officer for life insurer Aegon N.V., in an address to the GIS event.

“Not only does [GDPR] deal with data processing by European companies” Bloom said, “but it also deals with companies outside of Europe that process European data.”

One may be surprised at the wide range of data, including nicknames and initials, that can be considered personally identifiable data subject to GDPR. “Every bit of information that could be associated back to an individual is personal data,” Bloom said.

Failure to adhere to GDPR could be costly, he added, calculating that such a maximum fine could amount to $1 billion for a company the size of Aegon, or 4 percent of “global turnover.”

In EU Consumers Will Own Their Data

Perhaps most significantly, GDPR establishes the principle that an individual consumer owns data about himself or herself, with three important functional implications:

• Personal information can be used for commercial purposes only if the individual “opts in” to allow it;
• An individual has the right to ask how his/her personal information is being used; and
• An individual has the right to “be forgotten;” i.e., have his/her personal information permanently expunged from company data records.

“If I left a company, or disassociated myself from a company for any reason, under GDPR, the company has to do that [remove records],” Bloom said. “All traces of a person need to be forgotten in the company. That’s a very difficult problem to address.”

The requirement to “forget” people even extends to data collected before the advent of networked information, Bloom added. For example, if old records are kept as PDFs, an organization needs to be able to find and remove information on individuals from those PDFs.

With regard to old records, Bloom counseled listeners to develop and adhere to retention timelines in accordance to carefully considered business needs.

“You want to be really careful how long you want to hold onto customer data,” he said. “To the degree you have a well-defined retention policy, it will help you in the long run.”