Complying with the European Union’s new General Data Protection Regulation is leading insurers and reinsurers to dilute the types of data they gather—something that could diminish underwriting quality, A.M. Best said in its latest regulatory assessment.
The GDPR kicks in on May 25. Carriers consulted by the ratings agency said they are pursuing compliance, in part, by planning stricter data access rules within their organization. Many also expect a drop in new data collection to the minimum information needed and a general shift toward aggregated, anonymous data versus individual information. A.M. Best said these changes, while complying with the GDPR, could harm underwriting.
“These actions may carry the side effect of diluting data quality for analytical purposes, with negative implications for underwriting and product offerings,” A.M. Best noted.
The regulation, which covers personal data held by companies, also requires insurers/reinsurers and other companies to report any data breaches within 72 hours. Companies must be able to provide European customers with a copy of their personal data and delete it in certain situations at their request. Technology companies, retailers, healthcare providers and banks are also affected by the law.
Noncompliance with any part of the GDPR can lead to fines up to 4 percent of annual global revenues for noncompliance.
GDPR Complexities Abound for Insurers and Reinsurers
Those examples are just some of the complexities insurers and reinsurers are facing as they seek to comply with the new regulation, A.M. Best said.
“Complexity—both operational and legal—as well as preparing for the tight reporting window for breach notification, are the main challenges that [insurers/reinsurers] have met on their path toward compliance,” A.M. Best noted in its regulatory review update.
In terms of insurers and reinsurers, A.M. Best said that market participants with large business portfolios (including those with more retail), pointed to the challenge of addressing the law’s requirements for individual rights, “such as a subject’s access rights and the right to be forgotten.”
A.M. Best said there are other complexities due to the law, stemming from “the long chain of insurers and brokers” involved in specific areas such as treaty reinsurance.
Another issue is the way the GDPR has been incorporated into laws within individual EU member states. This can make centralized data management and cross border data flows more difficult, A.M. Best said. But that 72-hour data breach disclosure requirement could be particularly difficult.
Insurers/reinsurers “anticipate that Article 33, and particularly the 72-hour incident response requirement, is likely to put companies’ internal processes and functions under considerable pressure, making pre-event planning and training even more important,” A.M. Best wrote in its write-up.
Insurers and reinsurers are seeking help from local regulators, A.M. Best said, building on existing data protection systems in order to comply with the added rules. The cooperation between the government and private sector has led to best practices, according to A.M. Best, elevating “the overall level of preparedness in the process.
Source: A.M. Best