How can insurance companies ensure compliance one year on?

How can insurance companies ensure compliance one year on?

Mohit Manchanda,Head of Consulting UK and Europe and Prakhar Agrawal

Practice Director – Privacy & Risk Consulting at EXL

Views 1590

How can insurance companies ensure compliance one year on?

01.11.2019 10:30 am

The much anticipated data privacy regulation GDPR hit businesses back in 2018, and ever since there has been a constant growth in the quantity of data breaches reported, at the same time an increase in customer complaints. The magnitude of recent intent of fines on large multinational corporations, such as British Airways’ colossal £183 million fine after half a million customers had their data stolen,[1] has highlighted just how critical GDPR compliance is for businesses.

The UK’s regulatory body – the Information Commissioner’s Office (ICO) – advises companies to focus the second year of the regulation on three main areas: moving beyond just baseline compliance, having a clear and evidenced understanding of privacy risks, alongside an ability to demonstrate strong accountability. In essence, businesses must move from treating the regulation as a mere tick-box exercise towards a more sustainable, long-term approach. In particular for the insurance industry, having the flexibility to customise the GDPR compliance toolkit in alignment with the changing industry needs is essential.

In order for insurance firms to keep pace with and make the most of this transition, firms would see the most value in partnering with an organisation which already has deep domain expertise, understanding and experience of covering all the issues associated with data privacy. The main focus points can be split into four areas: privacy risk monitoring and assurance, record retention and destruction, data-driven privacy compliance, and finally third-party risk management.

Privacy risk monitoring and assurance

Insurance players must now proactively demonstrate compliance, moving beyond the minimum to producing evidence of a future roadmap. The ability to perform holistic monitoring across an array of other applicable privacy laws globally as well as generate measurable privacy risk insights would enable more effective decision making whilst meeting the reporting requirements of their board and clients.

Integrating a bespoke monitoring system that addresses a business’ exact needs and challenges is the most effective way of achieving privacy risk monitoring and assurance, with a global best-practice privacy risk monitoring and assessment framework. Using a sustainable and scalable model for compliance self-assessments also adds a layer of strong accountability, governance and quality assurance. Insurance firms should also be taking advantage of the efficiencies afforded by cutting-edge technology; automating the assessment evaluation and tracking processes will deliver real-time risk insights.

Record retention and destruction

Achieving GDPR compliance can and should be utilised a catalyst for digital transformation. Studies indicate that a huge 40% of data breaches are attributed to paper records, and considering the average cost of a data breach is $6.3 million, with an average customer churn rate of 6.4% as a consequence – the stakes have never been higher. Retaining unnecessary, historic physical records is not only expensive and inefficient, but is in contravention of GDPR.

The many thousands of boxes and millions of papers dispersed in different storage sites with limited inventory, as well as the complex data retention rules that govern their legality, make them highly undesirable. Partnering with an organisation with the ability to first provide pickup and extensive records cataloguing, and secondly to analyse records for personal data and subsequently classify out-of-policy records would be hugely valuable. Afterwards, firms should focus on digitising and indexing the content, destroying the leftovers – all while keeping on a system of ongoing maintenance.

Data-driven privacy compliance

Firms must look to unleash the value of unstructured data in order to meet sustainable privacy maturity and achieve GDPR compliance. The organisations with a firm understanding of the personal data landscape will go the furthest. However, with a staggering 70% of data residing in unstructured form, it is an extremely complex task. Key challenges include finding the right solution that employs new age techniques of identifying and associating data to individual identities, and adopting a sustainable framework for operational compliance.

An ideal solution would include deploying the right technology that scans data estate and automatically builds and maintains data flow maps. Next, undertaking a policy impact analysis to flag and alert non-conformances. Finally, deploying a risk based approach to policy enforcement with data treatment and remediation options such as deletion, anonymisation, securing and archival.  This will not only reduce data exposure but also enable timely fulfilment of customer data requests.

Third-party risk management

Another decisive issue to be aware of is managing the risks that third-parties pose, and determining whether they add value or weaken the outlook for GDPR compliance. As much as 60% of all data breaches can be directly or indirectly linked to a vulnerability in an organisation’s supply chain. Furthermore, insurance companies have a complex network of third parties and are required to undertake multi-faceted due diligence at various junctures. Despite this, a large number of companies still make use of multiple spreadsheets and ad hoc processes to manage their third-parties. Instead, a holistic solution should be applied, that not only offers a centralised view of all third parties and associated data but also introduces a standardised methodology and a scalable framework to streamline risk assessment, leveraging deep automation. Secondly, the solution should enable rich insights and risk intelligence to enhance decision making and help demonstrate compliance with regulations such as GDPR, all while making it easy for the supply chain to ensure long term operational success.

Organisations should start with a short assessment blueprint to evaluate the maturity of their as-is third-party risk management processes and look to design an execution roadmap bespoke to specific business needs. Having a trusted partner to fully manage this transformation in third-party risk management space would greatly alleviate the pain points and allow you to focus on the outcomes.


Latest blogs

John Burgos Mindgate Solutions

Overcoming anxiety around mobile payments & digital payments - In the South Asia Pacific

Innovation and technology usually go hand in hand.  Therefore, for innovation to be fully realized, the technology that enables the innovation must be adopted as well.  During the last 5 years, we have had innovations from Google, Apple, Read more »

Stuart Robertson iDelta

Finance Sector PLCs Hold the Key to Economic Recovery

We have started to see the devastating impact the Coronavirus will have on our economy.  The travel, leisure and hospitality industry redundancies are rapidly mounting up with restaurant and bar owners facing no option but to shut up Read more »

Hirander Misra GMEX Group

Are UK Banks profiting from the current coronavirus crisis and failing SMEs?

A UK business could be eligible for a Coronavirus Business Interruption Loan Scheme (CBILS), as set out by the UK Government. However, it appears that despite the Government’s best intentions, this scheme is not working in practice and some urgent Read more »

Otabek Nuritdinov Safenetpay

A strong fintech needs more than just access to funding

  Investors, both private and institutional, are excited about investing in fintechs that are in the payments services business. What are the issues that really should matter to you, as a client? In 2019, institutional investors Read more »

Martijn Bos Holland FinTech

Get your head up in the clouds, it’s good for business

How Digital Transformation is reshaping competition in financial services The message is clear and it’s coming at us from all sides: digitalize now. No business unit seems to be immune to the onslaught of cloud-based, AI-driven, real-time, Read more »

Related Blogs

Tyron Jones n/a

Is Working in the Rideshare Industry Still a Financially Viable Choice in 2020?

The gig economy is stronger than ever, and it’s important for anyone to recognize the benefits of working a side job that brings some extra money to the table. Sure, it’s often not something that can completely substitute your regular income, and it Read more »

Matt Hooper IMImobile

Digital Claims Management: Five key Considerations for Insurers

It’s a challenging time to be an established insurance provider. As digital technology transforms the industry by increasing customer expectations, people want to quickly receive a quote, take out a policy and make a claim, while being able to Read more »

Guru Rao FBAlliance Insurance Company

Can we finally add “real-time” to catastrophe response systems?

Many organizations with significant exposures to natural and man-made catastrophes struggle to quickly and accurately assess the impact of those disasters on their business. Read more »

Simon Perry GMC Software

Dodge a Bullet with the Insurance Act 2015: Act Now to Implement Two-Way Communication

From 12th August 2016, insurers risk being caught out unless they open up a two-way customer communications process in line with The Insurance Act 2015. The new legislation includes a ‘duty of fair presentation,’ which ensures all parties must have Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel