Group and employee benefits insurers face “some fundamental questions” when implementing GDPR regulation, in terms of protecting client data, according to Vidyesh V Khanolkar, vice president of Majesco UK.
Khanolkar said: “In our discussions with a range of these insurers they are considering different routes when in our opinion they should be adopting a comprehensive approach combining all three elements.
“The first is where insurers seem to be adopting the ‘contractual’ route whereby they are managing their potential liability by placing the onus on their suppliers of systems or for group, their business (i.e. employer) customers who are the suppliers of data to them.”
He added: “In the case of infringement caused by e.g. a system problem, they are looking to the system supplier to address the liability and are contracting on this basis. While a contractual distribution of the liability may appear to be a neat solution on paper Insurers should remember that they have the biggest reputational risk in this game.”
In Khanolkar’s view, the different approaches stem from uncertainty regarding the extent of regulatory accountability, liability and scrutiny around the role of the insurer in terms of their customers’ personal data they collect to underwrite and price their products.
Data controller v data processor
He also questioned whether the insurer’s role is one as a data controller or data processor.
Khanolkar said: “The answer to that question is important because there are significantly different rules and regulations for data controllers and data processers under GDPR.
“In simplistic terms, you are deemed to be a data controller if you determine the purposes and means of processing personal data; whereas the data processer is responsible for processing the personal data on behalf of the data controller.
“By this definition, most group insurers be are likely categorised as ‘Data Processers’, given they are processing the data internally.
“However, in some cases like individual pricing, medical underwriting, or claims the insurer may decide the purpose and interpret the data based on their own specific rules leaning them towards data controllers as well.”
He explained that data processers are obliged to process personal data that is adequate, relevant and limited to what is necessary for defined purposes.
Khanolkar noted: “Because of this, many brokers and insurance companies will need to scale back the data requested, received and processed to only that which is necessary. If data is being passed on to other organisations, controls must be put in place to ensure trace-ability of such data transfers, ensuring that requests for data access or erasure are handled appropriately.
“However, when an insurer utilises a third party to manage and handle the data, the insurer becomes the data controller, requiring them to abide by far more stringent checks and balances.
As such, when insurers outsource data processing they need to ensure that any contract contains rigorous and clear clauses that protect the insurer if there is a breach by the third party of the regulations.”
In Khanolkar’s view as insurers adapt to the new rules, the duty to evidence to outline and take active steps to protect personal data and keep within the regulatory framework is critical.
He explained: “Demonstration of strong positive intent is always a good conduct sign for any regulator and really helps if you slip up on some things. While, either option works, a “one size fits all” approach rarely works.”