AM Best identifies re/insurers’ GDPR challenges

Operational and legal complexities, as well as preparing for the tight reporting window for breach notification are the main challenges that re/insurers have met on their path toward complying with the implementation of the EU’s General Data Protection Regulation (GDPR) effective May 25, 2018.

The regulation, which applies to personal data held by companies, sets fines as a high as 4 percent of annual global revenues for non-compliance and, among its most immediate consequences, has prompted businesses, including the re/insurance sector, to undertake a comprehensive data mapping exercise.

Market participants with large business portfolios – especially those skewed towards the retail segment – point to the practical challenge of being able to fulfil requirements relating to individual rights, such as a subject’s access rights and the right to be forgotten, according to AM Best’s briefing titled GDPR: The Issues for European Insurers at Implementation.

Complexity may also derive from the long chain of insurers and brokers, up to retrocessionaires, that are involved in specific segments, like treaty reinsurance. This element of concern emerged, for example, in the proposed amendment for insurance to the Data Protection Bill (the legislation that will regulate how the GDPR applies in the United Kingdom), AM Best said.

For companies with operations spread across multiple jurisdictions, this issue is compounded by deviations in the way that the GDPR has been incorporated into national legislations of EU member states, which can complicate both centralised data management and cross border data flows. Re/insurers also anticipate that Article 33, and particularly the 72-hour incident response requirement, is likely to put companies’ internal processes and functions under considerable pressure, making pre-event planning and training even more important, the report states.

“AM Best has been closely monitoring the process of alignment to GDPR among its rated companies as part of their ERM assessment, with a particular focus on associated operational, regulatory and reputational risks,” said Alvise Argenton, AM Best senior financial analyst.

“The GDPR provides an opportunity for companies to take a closer look at their own policies and procedures that relate to data use and management. GDPR preparation has helped some insurers and reinsurers to strengthen or refresh their risk mitigation capabilities, leading to the introduction of new safeguards to manage the risk of non-compliance, including basic technical measures like data encryption,” Argenton noted.

Make sure you are GDPR compliant and  confirm your email address to keep getting our daily emails

More of today's news

Amtrust launches attempt to win over investors in go-private deal

Lloyd’s Brussels unit gets regulatory approval with Vandendael as CEO

Corporate insurance faces ‘radical’ change

IUA forms new cyber reinsurance group

Insurtech investment jumps 155% YOY in Q1

Neon appoints group underwriting director from Ascot

Ardonagh Q1 adjusted EBITDA climbs 12.7%

Don't miss our insurtech email newsletter - sign up today