How to protect customer data while complying with GDPR
Tighter consent laws in the EU affect where and how insureds’ information can be used.
The General Data Protection Regulation (GDPR) is catching many organizations off guard. GDPR, which gives European Union citizens extended rights over how companies handle their personal online information and levies big fines for those that don’t comply, became law in May. Insurers aren’t immune to the law, which was brilliantly revealed in Lisa Loftis’s “Think GDPR doesn’t apply to you? Don’t be so sure.”
On the other hand, some insurers, especially those in Europe, may be more familiar with GDPR than many other professional disciplines. The number of companies investing in cyber insurance are on the rise, as companies anticipate accidental missteps, possible fines and a lawsuit or two. Larger, global insurance companies likely consider GDPR old news, as well.
But what about everyone else? What about the insurance companies that don’t market around the world? How concerned should they be about GDPR?
Related: Despite GDPR, looks like there’s no rush to buy cyberinsurance
Applying GDPR to insurance
Plenty, since European citizens regularly do business in the States, purchasing auto and homeowner’s insurance for property they own in the U.S., and so much more. The biggest issue for insurers is in relation to customer data — where it can be used and what can be done with it, according to recent research from GlobalData.
Insurers are used to doing whatever they want with aggregated customer data, as long as that customer has consented, though most have kept this power in check. Now, with tighter consent laws in the EU, much of that former freedom is gone. The mine field is knowing precisely what an insurer can do with information and what it can’t, and how to protect itself from what it doesn’t know. So where should an insurer start?
Start with an audit for ‘rogue’ private information
At most insurance companies, private information often ends up in unintended places such as spreadsheets, shared drives, email attachments and user devices. In these situations, data exists outside the intended security and compliance controls, creating considerable risk.
GDPR imposes strict requirements for private data keeping, maintenance and breach notifications to the affected parties. In order to comply, you must know where this data resides — not where it likely resides — and know that your company is properly managing and protecting that data.
Technology exists that will help uncover private information wherever it is hiding across an organization, helping reduce risk and improve compliance. By scanning through line of business systems, content services repositories and hundreds of file formats, customer information hidden in digital cracks and crevices will be uncovered.
It doesn’t solve for private information that exists in paper form outside of your digital systems, which is a different story entirely.
Related: Social media’s role in claims
Leverage retention policies
A sea of change is occurring with respect to personal data. Where once companies considered customer data their own — an asset obtained, retained and used at their sole discretion — more and more, customers, including insureds, consider that information theirs, regardless of where it lives and who is using it. GDPR underscores that point.
GDPR mandates that insurance companies and other organizations keep personal data only for the duration necessary for the purpose for which it was initially gathered. While instinct may suggest holding on to data might best serve the company, deleting that data may be even more beneficial. Unchecked stockpiling of private information can quickly turn valuable business data into a growing liability.
Automated retention management tools help organizations effectively manage the lifecycles of large volumes of customer information. Proactively destroying sensitive data can deliver significant benefits to the company, including:
- Reducing exposure in case the organization experiences a breach
- Decreasing costs associated with storing and processing information past its retention period
- Improving organizational effectiveness by maintaining good data hygiene
Related: Despite GDPR, looks like there’s no rush to buy cyberinsurance
Maximize your content services solution to meet other GDPR requirements
GDPR requires that insurance companies ensure appropriate security when collecting, processing and storing private data. Additionally, it puts customer data in the customer’s hands requiring organizations to obtain consent from insureds prior to handling data. To comply with GDPR, you must extend security controls beyond IT, to your line-of-business systems and the adjusters, underwriters and other staff who interact with private data.
To accomplish this, insurers need an information management application with layers of security features that extend all the way from system to user levels, including but not limited to:
- Strong encryption of data a rest, in transit and in use
- Granular access controls
- Smart redaction
- Automated workflows
- Auditing and reporting
What makes new privacy and security regulations like GDPR so challenging is not so much the technical requirements they impose on organizations, but rather the fundamental shift they require in the practices and culture surrounding information management. With the right solution — and frame of mind — insurers can securely manage customer data and meet compliance expectations today and in the future.
Cara McFarlane ( cara.mcfarlane@hyland.com) is the insurance solution marketing manager at Hyland and oversees all marketing initiatives to plan, execute and manage Hyland’s insurance marketing tactics.