Within cyber risks, data protection is a major topic with large implications on how insurers need to handle digital information. While Big Data, Artificial Intelligence and other digital applications assume a more prominent role in shaping the future business model of insurers and policymakers, regulators across the globe take increasingly rigorous actions to protect the privacy of individuals and their right over their own data.

European data protection directive to change the way how personal data is handled

The most sweeping piece of new legislation is the European General Data Protection Regulation (GDPR), which will enter into force on 25 May 2018. This landmark regulation is perceived as the biggest shake-up in personal data privacy rules since the advent of the internet. It will be applicable to all companies collecting or processing data of European citizens — both intentionally and unintentionally, and irrespective of where these companies are located.

According to the new regulation, natural persons have the right to access all information an insurer has collected about them, including the location of storage and the purpose of data collection.

Consumers must provide their consent to data storage. They can also cancel their agreement at any time and ask to have their data removed, transferred to a competitor or deleted entirely.

The data processor has to assure the privacy of the data right from the onset of the collection, anonymize it and protect it against theft or fraud. It has to ascertain that it only collect information required to complete its mandate.

As a consequence, insurers have to install data management systems that allow for the retrieval of collected information at all times; are transparent; auditable and; most importantly, anticipate future advances of the processing technology to ensure that the integrity of the data will remain intact over time.

The GDPR harmonizes the regulatory landscape across the European Union (EU) into a single law, which should ease the burden of compliance. In turn, insurers will have to adjust their processes and embrace a client-centric approach if they are to grasp the opportunities offered by the new directive.

Insurers that design their systems to obtain better quality consent, provide transparency to customers on data usage and fulfill concepts such as ‘privacy by design’ or ‘right to be forgotten’ will be preferred and might regard the requirements brought about by the GDPR.

Sweeping regulatory changes in Asia Pacific

In Asia Pacific, too, the data protection landscape has changed significantly in the past few years. New legislation has been introduced in China, Japan, the Philippines and Australia in 2016, while Indonesia, Singapore and Thailand are expected to follow suit shortly.

The privacy enforcement actions and cyber security laws require tighter technology risk management and stricter cross-border data transfer restrictions.

It is foreseeable that as the EU harmonizes its data protection regulations, Asia Pacific will quickly follow suit, so as to maintain its position as a global offshore financial hub.

With the number of new laws introduced, companies hope that compliance standards across the region will bolster the confidence of consumers in the safety of e-commerce and the integrity of their data, while allowing the transfer of cross-border data.

Asia Pacific has seen some success with the launch of the Cross-Border Privacy Rules (CBPR), a voluntary system introduced in 2011. Canada, the US, Mexico and Japan have acceded to the CBPR, while South Korea, Australia, Hong Kong, Taiwan and Russia are expected to follow suit soon.

The tightening of data protection rules coincides with the rising value of personal data for businesses in general and insurers in particular.

In rapidly emerging and changing markets, access to real-time data can substitute for a lack of historical data. At the same time, companies aiming to outsource data processing function to less costly locations, in order to enhance their operational efficiency. As a result, global or at least regional compliance becomes imperative.

Even though Peak Re as a reinsurer might be less dependent on data to identify an individual as opposed to an insurer, we are always evaluating various applications which supports our goal in system automation to achieve data transparency and security.
Also, because Peak Re is global, we are well placed to support our clients through this process of regulatory change with our expertise and advice.