What is GDPR?

General Data Protection Regulation (GDPR) is the EU regulatory framework for data privacy, which comes into effect on May 28, 2018. Directly applicable in member states, this regulation will gradually replace French data protection law (Loi Informatique & Liberté) under the authority of CNIL, the national regulator.

What new requirements does this regulation introduce?

There are numerous new requirements in different areas (legal, IT, organization, HR, etc.), involving:

1. Markedly higher sanctions, with penalties of up to €20 million or 4% of consolidated revenues;
2. The data controller’s accountability extending to external partners and suppliers;
3. The principle of accountability replacing the principle of declaration;
4. GDPR rules being integrated into IT systems from the design phase;
5. Easier access to and management of personal information, with citizens being able to explicitly consent to or disallow data processing and modify or delete data;
6. Alerts being made to the supervisory authority within 72 hours of a security breach.

Are all companies equal when it comes to data privacy?

At first sight, no. While clients consider it “inevitable” or even “legitimate” that their personal data will be collected by internet giants like Google and Apple, they are wary of requests for personal data coming from banks or insurance companies. This difference in perception can be explained in several ways. First, since the financial crisis, consumer confidence in banking and insurance companies has dropped, reaching only 52% according to an OpinionWay survey in 2016. More specifically, clients understand the meaning and purpose of data being captured by online giants like Google, since they see the resulting client benefits: improved services, personalized/exclusive offers, etc. But these are not so obvious in the banking and insurance sector.

In addition, the speed at which companies are working towards compliance varies enormously. A recent study indicated that in the first quarter of 2017, 45% of French companies were unaware of GDPR principles and even fewer knew the enforcement date.

GDPR: a turning point for risk prevention

The French insurance federation (FFA’s) website announces that “prevention is an integral part of the insurer’s role.” Given the initiatives taken in the sector (e.g. “pay how you drive”), prevention may finally take on more importance as a way to attract new clients and build loyalty, after long being overshadowed by “X months of insurance free” incentives.

In fact, digital transformation reduces the insurable risks. This must encourage insurers to refocus their business models on prevention, with a strong impact on the data that should be collected and the means for doing to. To this end, companies need to “evangelize” their clients, explaining the reasons for capturing data (i.e. the benefits they can legitimately expect) to drive buy-in.

Compliance can also be seen as an opportunity for companies to make better use of the current and future data provided by its clients.

Improved management of the personal data collected and saved enables companies to better understand their clients (family environments, finances, use of insurance products, etc.) and anticipate their needs and expectations more effectively.

Instead of an administrative formality, the provision of personal data should be seen as enabling a company to get to know its clients and offer win-win services (e.g. advantages and reductions), including solutions and prices adjusted to their lifestyles and risks (a bonus or surcharge on all types of insurance). This virtuous circle can lead to new personal data being collected automatically through connected objects (smartwatches, onboard cameras, etc.) and further boosting the company’s knowledge of their clients.

In addition, compliance with GDPR can be an opportunity to offer services that provide a competitive edge, such as secure storage of personal data and documents, or automatic reminders of documents that need to be provided or updated by policyholders.

GDPR can therefore offer companies opportunities to stand out in the eyes of clients. It can also speed up progress in certain areas.
The first is the fight against insurance fraud, which can generate savings. Every year, non-detected fraud involving fire, accidents and multi-risk insurance costs an estimated at €2.5 billion.
While the vast majority of companies have already set up anti-fraud programs, a legal gray area remains in terms of data collection and use. For example, big data solutions can combine data to help detect “weak signals” of fraud, but insurers need to warn clients in advance that their data will be used for this purpose. GDPR and the action required for companies to comply will help raise sector awareness of the importance of certain obligations and legally safeguard new anti-fraud initiatives.

Furthermore, GDPR provides an opportunity to reinforce file access security, especially for documents containing personal data. A recent study indicated that 47% of organizations have at least 1,000 sensitive files that can be accessed by all their employees.
GDPR embodies values that are well known to insurance companies: whoever claims to protect people and property must also take a stand on the rigorous protection of intangible assets (i.e. personal data). Companies have every interest in communicating this message of integrity to current and future clients.

GDPR: between regulation and opportunities

GDPR compliance constitutes a long-term commitment involving strong mobilization: the processes introduced must not only cover the collection of personal data but also its use throughout the lifecycle of contracts and the entire data retention period. In addition to this regulatory aspect, GDPR offers tremendous opportunities, ranging from strengthening client relationships to fighting fraud. Given this vast potential and the looming deadline, it is critical for companies to map out their personal data and develop an effective strategy.