How can insurance companies ensure compliance one year on?

How can insurance companies ensure compliance one year on?

Mohit Manchanda,Head of Consulting UK and Europe and Prakhar Agrawal

Practice Director – Privacy & Risk Consulting at EXL

Views 720

How can insurance companies ensure compliance one year on?

01.11.2019 10:30 am

The much anticipated data privacy regulation GDPR hit businesses back in 2018, and ever since there has been a constant growth in the quantity of data breaches reported, at the same time an increase in customer complaints. The magnitude of recent intent of fines on large multinational corporations, such as British Airways’ colossal £183 million fine after half a million customers had their data stolen,[1] has highlighted just how critical GDPR compliance is for businesses.

The UK’s regulatory body – the Information Commissioner’s Office (ICO) – advises companies to focus the second year of the regulation on three main areas: moving beyond just baseline compliance, having a clear and evidenced understanding of privacy risks, alongside an ability to demonstrate strong accountability. In essence, businesses must move from treating the regulation as a mere tick-box exercise towards a more sustainable, long-term approach. In particular for the insurance industry, having the flexibility to customise the GDPR compliance toolkit in alignment with the changing industry needs is essential.

In order for insurance firms to keep pace with and make the most of this transition, firms would see the most value in partnering with an organisation which already has deep domain expertise, understanding and experience of covering all the issues associated with data privacy. The main focus points can be split into four areas: privacy risk monitoring and assurance, record retention and destruction, data-driven privacy compliance, and finally third-party risk management.

Privacy risk monitoring and assurance

Insurance players must now proactively demonstrate compliance, moving beyond the minimum to producing evidence of a future roadmap. The ability to perform holistic monitoring across an array of other applicable privacy laws globally as well as generate measurable privacy risk insights would enable more effective decision making whilst meeting the reporting requirements of their board and clients.

Integrating a bespoke monitoring system that addresses a business’ exact needs and challenges is the most effective way of achieving privacy risk monitoring and assurance, with a global best-practice privacy risk monitoring and assessment framework. Using a sustainable and scalable model for compliance self-assessments also adds a layer of strong accountability, governance and quality assurance. Insurance firms should also be taking advantage of the efficiencies afforded by cutting-edge technology; automating the assessment evaluation and tracking processes will deliver real-time risk insights.

Record retention and destruction

Achieving GDPR compliance can and should be utilised a catalyst for digital transformation. Studies indicate that a huge 40% of data breaches are attributed to paper records, and considering the average cost of a data breach is $6.3 million, with an average customer churn rate of 6.4% as a consequence – the stakes have never been higher. Retaining unnecessary, historic physical records is not only expensive and inefficient, but is in contravention of GDPR.

The many thousands of boxes and millions of papers dispersed in different storage sites with limited inventory, as well as the complex data retention rules that govern their legality, make them highly undesirable. Partnering with an organisation with the ability to first provide pickup and extensive records cataloguing, and secondly to analyse records for personal data and subsequently classify out-of-policy records would be hugely valuable. Afterwards, firms should focus on digitising and indexing the content, destroying the leftovers – all while keeping on a system of ongoing maintenance.

Data-driven privacy compliance

Firms must look to unleash the value of unstructured data in order to meet sustainable privacy maturity and achieve GDPR compliance. The organisations with a firm understanding of the personal data landscape will go the furthest. However, with a staggering 70% of data residing in unstructured form, it is an extremely complex task. Key challenges include finding the right solution that employs new age techniques of identifying and associating data to individual identities, and adopting a sustainable framework for operational compliance.

An ideal solution would include deploying the right technology that scans data estate and automatically builds and maintains data flow maps. Next, undertaking a policy impact analysis to flag and alert non-conformances. Finally, deploying a risk based approach to policy enforcement with data treatment and remediation options such as deletion, anonymisation, securing and archival.  This will not only reduce data exposure but also enable timely fulfilment of customer data requests.

Third-party risk management

Another decisive issue to be aware of is managing the risks that third-parties pose, and determining whether they add value or weaken the outlook for GDPR compliance. As much as 60% of all data breaches can be directly or indirectly linked to a vulnerability in an organisation’s supply chain. Furthermore, insurance companies have a complex network of third parties and are required to undertake multi-faceted due diligence at various junctures. Despite this, a large number of companies still make use of multiple spreadsheets and ad hoc processes to manage their third-parties. Instead, a holistic solution should be applied, that not only offers a centralised view of all third parties and associated data but also introduces a standardised methodology and a scalable framework to streamline risk assessment, leveraging deep automation. Secondly, the solution should enable rich insights and risk intelligence to enhance decision making and help demonstrate compliance with regulations such as GDPR, all while making it easy for the supply chain to ensure long term operational success.

Organisations should start with a short assessment blueprint to evaluate the maturity of their as-is third-party risk management processes and look to design an execution roadmap bespoke to specific business needs. Having a trusted partner to fully manage this transformation in third-party risk management space would greatly alleviate the pain points and allow you to focus on the outcomes.


Latest blogs

Martijn Groot Asset Control

How Machine Learning is Changing Data Management and Investment Processes for Active Managers

AI and Machine Learning techniques are finding their way into financial services. Ranging from operational efficiencies to more effective detection of fraud and money-laundering, firms are embracing techniques that find patterns, learn from them and Read more »

Faniel Thomas Moneyfarm

What You Need to Know About Stocks and Shares ISAs

Many of us are familiar with the tax-free benefits associated with a standard Individual Savings Account (ISA). However, a variant known as a stocks and shares ISA is becoming an increasingly popular alternative. What is the basic principle behind a Read more »

Anthony Walton Iliad Solutions

Immediate Payments – Readiness

The payments industry is seeing a massive global surge in the implementation or modernisation of Immediate Payment systems. These systems challenge the status quo, and when used effectively create real opportunities for financial institutions to Read more »

Dr Bimal Roy Bhanu AiXPRT

AI-washing: is it machine learning … or worse?

There are widespread misconceptions about Artificial Intelligence (AI), including its powers and what it can and can’t do. Which means that potential users may have unrealistic expectations of what they will see when they’re presented with AI. For Read more »

Todd Clyde Token

Making Open Banking Pay with a Superior API

The success of open banking will ultimately depend on the difference it makes to customers. It’s one thing for people to be able to see all of their various account balances in one place. But if the process for moving money or managing payments Read more »

Related Blogs

Matt Hooper IMImobile

Digital Claims Management: Five key Considerations for Insurers

It’s a challenging time to be an established insurance provider. As digital technology transforms the industry by increasing customer expectations, people want to quickly receive a quote, take out a policy and make a claim, while being able to Read more »

Guru Rao FBAlliance Insurance Company

Can we finally add “real-time” to catastrophe response systems?

Many organizations with significant exposures to natural and man-made catastrophes struggle to quickly and accurately assess the impact of those disasters on their business. Read more »

Simon Perry GMC Software

Dodge a Bullet with the Insurance Act 2015: Act Now to Implement Two-Way Communication

From 12th August 2016, insurers risk being caught out unless they open up a two-way customer communications process in line with The Insurance Act 2015. The new legislation includes a ‘duty of fair presentation,’ which ensures all parties must have Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel