Roundtable: Industry must create GDPR consensus
May 25, 2018 marks the implementation date for the General Data Protection Regulation (GDPR) across 28 European Union nations, designed to give control to citizens and residents over their personal data. According to the U.K. Information Commissioner’s Office (ICO), GDPR applies to anyone (inside or outside of the EU) who controls or processes ‘personal data’ – which is any information that could be used to directly or indirectly identify an individual.
As the industry unpicks the regulation ready for compliance, there are a wide range of personal identifiers that can constitute personal data, such as a name, identification number, location data or an online identifier, causing confusion about what is and what is not covered. For location data, without clear guidance there is a fear that advancements in data analytics to deliver more precise, granular risk analysis could be lost. A blanket solution could be imposed if the insurance industry cannot come to a consensus on defining an operating model that does not compromise compliance but also ensures business transformation and agility.
To facilitate a discussion to tackle these issues, a roundtable hosted by Insurance Day in partnership with RMS saw data protection and cyber specialists from brokers, underwriters, market associations and law firms gather to discuss the current state of GDPR preparedness of the insurance sector and what is currently keeping the market up at night concerning this regulation.
The roundtable of experts from across the UK and London markets believe that the industry must take the initiative when it comes to its approach concerning the major grey areas around GDPR compliance, with an active discussion on what needed to be done and the forums and channels that need to be created to achieve this.
Varying Levels of GDPR Understanding and Compliance
One of the first points to emerge from the discussion concerned the variation in the current level of understanding about GDPR and compliance with the regulation across the market. Larger firms have been able to appoint specialist data protection officers to ensure compliance, while smaller and regional players needed greater guidance on what was expected from the regulation and their underwriting and broker partners.
Compounding the issue is the lack of available expertise. While some Data Protection Officers (DPOs) have been in place for several years and have been able to integrate the necessary compliance steps into their business, some have been placed into the role will little or no previous experience and would welcome the ability to discuss the issues they have with their peers from other organisations. However, at present, they are frustrated by the fact there is no mechanism to do so.
Creating Industry Forums
While having to be extremely mindful of potential breaches of the anti-competition rules, those around the table agreed there needed to be a facility established that would allow DPOs to meet and formulate the foundations of a consensus on its approach to core areas of the regulation. Another issue is around corporate operating models as they differ widely between companies; with data formats and processes often siloed with little commonality creating a difficult environment to build shared standards.
While the market associations have the relationships with the regulator and government which could be used to open a dialogue over that consensus, the view was that the required solutions needed to be created by those whose job it is to implement the rules within the companies.
One participant said: “We like doing stuff like that. You are to a degree quite siloed, because you are often the only one in your business. Having the opportunity to bounce off your concepts, without fear of someone going, ‘Am I absolutely right on that?’ is something people really welcome.”
This view was supported by another participant: “It does seem to be that there’s still a useful thing to be done in terms of getting those responsible for implementing GDPR within the larger organisations to talk about their practical operating solutions.”
Complexity Around Location Data
While the formation of such a forum would be welcomed by all, the discussion then turned to other practical issues around the handling of location data.
The complexity around whether location data is personal data has become quite evident as the GDPR compliance process has evolved, and those around the table said they believe the issue for many was one of clarity. Brokers and underwriters had to make it clear to the clients how their data would be used and why it needed to be collected to deliver the correct product for them. There was agreement that the treatment of location data remained a grey area and as such, at present the current approach was to treat it as personal data to ensure compliance.
"So, the consensus is that the industry needs to come together and align around an operating model that makes sense. The GDPR standard has been set, but it is up to the industry to take control of the situation and deliver an approach that guarantees data quality, provides assurances when exchanging data and establishes trust across the value chain."
Farhana Alarakhiya, VP Products, RMS
“I still feel very comfortable that we can process the location data and I think we can resolve that through transparency and a fair process. In fact, the documentation that’s come out already says that it will be processed for assessment of risk. So, that’s already there if we use the market-led documentation. Then it’s down to us to make sure we have fully valued that data and to do that evaluation. We don’t just ask, is it personal data or special category? We look at the volume of the data we have and about the impact of harm to individuals or even commercial businesses.”
However, fears were raised that any adoption of an ultra-conservative approach and minimising or aggregating the data collected would see the ability for the market to leverage analytics reduced significantly, unless a consistent approach was adopted which took into account both the regulations and the need for clarity.
The feeling was that the industry needed to arrive at a consistent approach that could then be presented to the regulators, who could then provide their opinion as to whether it fell within GDPR.
Farhana Alarakhiya, vice president of products at RMS, commented “So, the consensus is that the industry needs to come together and align around an operating model that makes sense. The GDPR standard has been set, but it is up to the industry to take control of the situation and deliver an approach that guarantees data quality, provides assurances when exchanging data and establishes trust across the value chain.”
The group also said that for the insurance sector, the Information Commissioner’s Office (ICO), which has regulatory responsibility for GDPR compliance, would not be the biggest concern if a firm was found to be in breach of the rules.
“If the ICO were to fine someone or to even apply an administrative fine, I’d be more worried about what the FCA and the PRA are going to do.”
“You might get a minor administrative fine from the ICO, but the FCA and the PRA would be all over you for systems control failures.”
The discussion however centred around the need for the market to take the issue into its own hands.
“What’s clear is the regulator won’t lay out a set of guidelines, that’s going too far at this point. I think there is need for the industry to come together and establish a set of basic rules. Then we can go to the regulator and test those. Maybe fundamentally, it comes down to an issue of leadership and who’s prepared actually to say, ‘Okay, there’s a market need here. We can work together, without breaching any anti-competitive issues’; and for somebody effectively to create the scheme, really as a format for discussion.”
There was real consensus from the roundtable participants that the insurance industry needs to work together and share expertise on GDPR across big and small businesses and allow DPOs and other specialists to meet and share best practice.
Alarakhiya added “The roundtable discussion unearthed violent agreement — it was recognized that the industry is on a path of digital transformation, and analytics lie at the core of delivering improved business outcomes. Aggregating personal data to appease GDPR was not an option, as diluting the quality of analytics would set the industry back decades.”
The creation of a forum among experts, outside of the official channels, would allow those on the frontline of GDPR compliance within their organisations to work out a joint approach to these current grey areas in the regulation, such as the use of location data.
This cross-industry approach could then be used as a basis for discussion with the market associations and regulators as a blueprint on how the insurance sector wants to approach these grey areas, to ensure advances in data analytics and granularity are not lost through an imposed solution due to a poor understanding of the issues involved.