Defining “Personal Data” and GDPR’s Impact on Insurers
Personal data has become a lucrative asset in our digital world that companies can exploit to enrich themselves at the expense of customer privacy. The result is that the collection and use of personal data has grown exponentially over the past decade, led by titans such as Google and Amazon.
Aware of this growing trend and its increasing abuse, in 2016 the European Parliament, the Council of the European Union and the European Commission adopted the EU General Data Protection Regulation (GDPR) to strengthen and unify data protection for all citizens of the EU. The idea is to protect everyday consumers from exploitation and safeguard their privacy. The GDPR is the EU’s most significant data protection change in two decades.
Like the previous Data Protection Act (DPA), the GDPR applies to ‘personal data’. The GDPR’s definition is more detailed, however, and makes it clear that information such as an online identifier, like an IP address, can be personal data. The GDPR’s more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
Personal data is defined as any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or an IP address. The EU Charter of Fundamental Rights says that everyone has the right to personal data protection in all aspects of life: at home, at work, while shopping, when receiving medical treatment, at a police station or on the Internet.
Insurance is one of many sectors that will be impacted by GDPR, which goes into effect on 25 May, 2018. Insurers and brokers are in the GDPR’s crosshairs, because they possess massive databases full of customer data that some insurers have been tempted to use without permission.
Insurance providers will have to change the way they store, handle, process and report on breaches of their customers’ information. A company failing to comply with the new rules by the effective date may be subject to a fine of up to €20 million, or 4 percent of the company’s global annual turnover.
It’s clear that GDPR will significantly impact insurers. My next blog post will look at six specific challenges that insurers will face in a post-GDPR world…