The EU’s GDPR Impact on the Insurance Industry and Small Businesses in the US
A year ago, people's mailboxes (both email and regular mail) were inundated with updated privacy notification emails from their financial institutions, personal email companies, social media accounts and any other business that collects and uses personal data. These notifications were sent due to the updated privacy policies implemented by the European Union’s (EU) General Data Protection Regulation (GDPR)
which went into effect on May 25, 2018. The GDPR does not only affect the organizations and people of the EU; it could have a lasting impact on large and small businesses around the world.
What is the GDPR?
The goal of the GDPR was to reduce the myriad of individual EU country’s data protection laws into one standard. The GDPR places more requirements on organizations that process and collect personal data with an emphasis on accountability and evidencing compliance, while strengthening the individual’s rights. The GDPR is viewed as a model for updating privacy laws around the world. In fact, California has passed a wide-reaching privacy law, California Consumer Privacy Act A.B 375
, which will go into effect in 2020. AmTrust Financial
explored the impact of the GDPR on small business, including the insurance industry in the U.S. in our recent white paper “What is the GDPR? The Impact on the Insurance Industry and Small Businesses in the U.S.”
How Does the GDPR Affect the U.S. and Small Businesses?
Any small business, which processes the personal data of individuals within the EU, is subject to the GDPR, no matter where in the world the business has their headquarters. A key point of the GDPR is that the laws apply to people within the EU, but not necessarily to EU citizens.
The GDPR applies to all data directly or indirectly related to an identifiable person in the EU that is processed by an individual, company or organization. This means that any company using the data of EU subjects, even if this company is stationed outside the EU, will need to comply with new ways of protecting data related to identifying information, IP address, cookies, health, genetic or biometric data, racial or ethnic data and sexual orientation.
GDPR Impact on the Insurance Industry
The GDPR is both a challenge and an opportunity for the insurance industry. It has raised customer awareness for the protection of personal data. However, all insurance organizations do not use personal data in the same way or for the same purposes.
Insurance companies often need to process sensitive personal data to underwrite risks and provide claims handling and other insurance-related services. Much of the personal data that insurers hold about individuals is sensitive in nature, particularly information about a person’s health or medical treatment. These “special categories” of personal data cannot be processed unless the individual has given explicit consent to that processing, or in certain other limited circumstances, none of which readily apply to the insurance industry.
The GDPR and California’s new law strengthens an individual’s rights to access and protect their personal data. These include a right for the individual to request that their data be deleted (the right to erasure), a right to object to processing and the right to data portability – in electronic form. This means that a policyholder could request a copy of all data that their insurer holds about them in a commonly used and machine readable format, so they can provide it to their new insurer.
GDPR and Marketing Tactics
The GDPR introduced new restrictions on direct marketing for all businesses, including insurance. The most significant of these is that an “opt-out” mechanism, such as pre-ticketed boxes, are no longer a valid method of obtaining consent from individuals. Data subjects must provide their full consent to be included on any type of email marketing lists.
A resident of the EU data, collected or processed outside of their home country must have protections compliant with the GDPR. Even insurers with no operations or presence in the EU are subject to the GDPR to the extent that they offer services to individuals located in the EU.
GDPR and Data Security
Every employer faces the reality that they could be a target of a network security or data privacy breach
. A cybersecurity or privacy breach can jeopardize credibility and cost small businesses thousands of dollars (or more) in damages. The GDPR regulations spotlight the importance of privacy. This privacy extends to the systems which collect, store, process and transmit data. Cyber privacy can include both personally identifying information or non-identifying information which when aggregated can be used to identify - like a user's behavior on a website and cookie information.
The GDPR requires that an organization notify data protection regulators and affected individuals about any data breach which is likely to result in a privacy risk to affected individuals. Notification significantly increases the costs of responding to a data breach
, as well as the chances that affected individuals will make claims against the controller.
Cyber Liability Coverage From AmTrust Cyber liability insurance
provides coverage for certain losses incurred as a result of a data breach. When customer data is compromised, it's usually not arbitrary or otherwise public information being targeted. Hackers are looking for credit card data, names, phone numbers, addresses, driver's license numbers, health records and even social security numbers.
For more information about cyber liability coverage in the time of data privacy, contact us
at AmTrust Financial or your AmTrust-appointed agent. Download your free copy of “What is the GDPR? The Impact on the Insurance Industry and Small Business in the U.S.”
for more information. This material is for informational purposes only and is not legal or business advice. Neither AmTrust Financial Services, Inc. nor any of its subsidiaries or affiliates represents or warrants that the information contained herein is appropriate or suitable for any specific business or legal purpose. Readers seeking resolution of specific questions should consult their business and/or legal advisors. Coverages may vary by location. Contact your local RSM for more information.