A closer look at regulatory data audits in insurance

Adhering to GDPR guidelines now may be the best preparation for future regulatory inspections.

Two growing trends are set to contribute to an increased demand for data inspection over the next 10 years: the emerging ability of new techniques to identify data that was used to train a machine learning system and the aforementioned increase in data-related regulation. (Photo: DIgilife/Adobe Stock)

We are still in the early years of the formation of data governance strategies and legislation. However, proprietary company data is now subject to inspection and audit by standards bodies depending on the jurisdiction — especially in the European Union.

It is important to note that organizations providing insurance services are in the risk envelope. After all, they process a great deal of customer data.

According to GDPR Enforcement Tracker Report 2021, the number of fines in the insurance sector has grown significantly over the past 12 months, sometimes reaching millions of euros.

Since data-related regulation is in a nascent phase, with the emergence of coherent and globally enforced standards as a distant prospect, it’s not possible here to cover all the current state regulatory processes to which the management of your customers’ data may be liable, and for which it may one day be audited — either under existing rules or new ones that are set to emerge over the next decade.

Nonetheless, we can examine some of the existing statutes and review others that are coming into focus.

Europe’s take on data: the GDPR

The EU General Data Protection Regulation (GDPR) levies fines of 4% of revenue on companies that violate its rules on data protection, while the Draft AI Regulations proposed by the European Commission in April 2021 promise fines amounting to 6% of global revenue for companies that contravene subsequent laws derived from it.

Eventually, insurance companies whose customer data impinges on European borders (even indirectly, such as through geo-oblivious cloud-hosted services) will be subject to both of these frameworks, each of which specifically deals with data provenance and governance (but not in a way that is necessarily consistent).

The GDPR is being considered around the world as the template for data privacy frameworks. In the U.S., the GDPR-style California Consumer Privacy Act of 2018 (CCPA) led the way for formal data oversight frameworks in the States three years ago, with frequent calls since for the US to match Europe’s lead. Therefore, adhering to GDPR guidelines now may be the best preparation for future regulatory inspections, since even the EU’s draft AI regulations cover a lot of the same territory.

GDPR-based data audit in the insurance sector

The European Data Protection Supervisor (EDPS) provides various insights into the rationale and requirements for an on-the-spot or scheduled data audit, including a helpful overview, an inspection policy framework, and a set of general guidelines to follow.

The GDPR guidelines for a data audit are divided into four sections: lawful basis and transparency; data security; privacy rights; and accountability/governance.

Here is a look at that part of the European Union’s advice on the GDPR as relates directly to data auditing:

The state of data regulation in the U.K. and U.S.

In the U.K., the GDPR was copy-pasted into national law at the time of Brexit, with no obligation to retain the European standards in the future. Nonetheless, the Joint Information Systems Committee (JISC) offers the Data Audit Framework Development (DAFD) guideline document as a policy guide and preparatory checklist for companies researching data audit liabilities.

It’s uncertain when a specific machine learning-related regulation will come to the insurance sector in the U.S. Currently, a company’s data liability is still largely subject to older statutes such as the data protection component of the Health Insurance Portability and Accountability Act (HIPAA); the Gramm-Leach-Bliley Act (GLBA, for financial services); the U.S. Privacy Act of 1974; the Children’s Online Privacy Protection Act (COPPA, which has at least specifically addressed issues around data retention in recent years); and, in the most general terms possible, section 5 of the 1914 Federal Trade Commission Act.

A growing focus on data audit

Two growing trends are set to contribute to an increased demand for data inspection over the next 10 years: the emerging ability of new techniques to identify data that was used to train a machine learning system and the aforementioned increase in data-related regulation.

Indeed, while current data audit legislation is at a relatively early stage and still suffers from general fragmentation at the international level, the GDPR may serve as a template and pave the way for future governance models.

Andrea Di Stefano (a.distefano@itransition.com) is a technology research analyst at Itransition, a Denver-based software development company. He investigates emerging tech trends and their most impactful business applications, focusing on AI, machine learning, analytics, and big data.

See also: