- 3'45 min
Personal data protection, a priority for insurers
Today insurers are faced with a dual challenge as regards the protection of personal data: complying with the new legal requirements whilst continuing to carry on their business in line with their policyholders' expectations and needs.
What should the place of data protection be in insurance?
The insurance sector is particularly concerned by the issue of data protection since collecting and processing information concerning policyholders is indispensable to its business. In 2014, one French person in two was willing to entrust their personal data to their insurer in order to obtain the best offer for their property and liability insurance. It is normal therefore that data protection should be at the top of insurers' list of priorities with respect to their Corporate Social Responsibility obligations.
The Digital Republic law passed at the end of 2016 includes a series of data protection measures intended to reinforce the rights of the people concerned. These new provisions, which already came into force on 9 October 2016 (with some exceptions), make some changes to the existing data protection law ("Loi Informatiques et Libertés") in anticipation of the application of the new European General Data Protection Regulation due to come into force in May 2018. The new legislative framework admittedly involves some new constraints for insurers, but by providing new guarantees of transparency for policyholders, it can only help to raise their confidence and reduce their fears concerning the use of their personal data.
Insurer adapt to the new legal requirements
The Digital Republic Law strengthens the principle that everyone has the right to decide and control what uses are made of the personal data concerning them. In practice, from the insurer's standpoint, the party responsible for processing the data must take measures that enable this right to be exercised effectively: policyholders must have access to their data and insurers must be able to respond easily to enquiries concerning them. Tools such as dashboards or data administration consoles in customer areas can be suitable solutions. And where personal data have been collected by electronic means, policyholders must be able to exercise their right of access and the rights of opposition and rectification via an online form or by e-mail.
The new law also completes the list of information that must be provided to the person whose personal data have been collected. In particular, the person must be informed how long the different categories of data processed will be retained. Insurers' contract documents will therefore be modified to mention, in the information clause relating to the data collected, the retention time for those data.
However, certain measures could turn out to be tricky to apply
The law creates a right to control one's data post-mortem: anyone can now give directives concerning the retention, deletion and disclosure of their data after their death. This measure, originally intended for online operators and social media, in theory does not apply to data that insurers can prove that they have to retain for the implementation of the contract and up to the time limit allowed, in order to prove that they have correctly implemented the contract. This is the case in particular for life insurance policies: clearly, if the policyholder dies, it is up to the insurer to apply the provisions of the policy to the beneficiaries. On the other hand, the right to a "digital death" could concern data collected via Big Data, and personal areas. In concrete terms, insurers must provide information on post-mortem rights and put tools in place that enable the management of specific directives given by the people whose data have been collected. At this stage, things remain unclear for insurers as regards how and to what extent these measures will apply in practice.
Another new measure that is a source of uncertainty for insurers: the introduction of a right to delete data collected when a person was a minor. This is a true right to be forgotten concerning data on minors and not simply a 'dereferencing' right concerning lists of results on search engines. It concerns information collected on social media, online discussion platforms, search engines, directory and referencing services, etc. However, this right does not concern data collected for the contracting, implementation and management of insurance policies. This new system, as well that arising from the new European Regulation, will lead to an increase in data processing by insurers in order to ensure, as of now, that they comply with the new rules.
Sources: Crédit Agricole Assurances – Crédit Agricole Group (CSA) CSR Barometer – PwC 2014 study