The much anticipated data privacy regulation GDPR hit businesses back in 2018, and ever since there has been a constant growth in the quantity of data breaches reported, at the same time an increase in customer complaints. The magnitude of recent intent of fines on large multinational corporations, such as British Airways’ colossal £183 million fine after half a million customers had their data stolen, has highlighted just how critical GDPR compliance is for businesses.
The UK’s regulatory body – the Information Commissioner’s Office (ICO) – advises companies to focus the second year of the regulation on three main areas: moving beyond just baseline compliance, having a clear and evidenced understanding of privacy risks, alongside an ability to demonstrate strong accountability. In essence, businesses must move from treating the regulation as a mere tick-box exercise towards a more sustainable, long-term approach. In particular for the insurance industry, having the flexibility to customise the GDPR compliance toolkit in alignment with the changing industry needs is essential.
In order for insurance firms to keep pace with and make the most of this transition, firms would see the most value in partnering with an organisation which already has deep domain expertise, understanding and experience of covering all the issues associated with data privacy. The main focus points can be split into four areas: privacy risk monitoring and assurance, record retention and destruction, data-driven privacy compliance, and finally third-party risk management.
Privacy risk monitoring and assurance
Insurance players must now proactively demonstrate compliance, moving beyond the minimum to producing evidence of a future roadmap. The ability to perform holistic monitoring across an array of other applicable privacy laws globally as well as generate measurable privacy risk insights would enable more effective decision making whilst meeting the reporting requirements of their board and clients.
Integrating a bespoke monitoring system that addresses a business’ exact needs and challenges is the most effective way of achieving privacy risk monitoring and assurance, with a global best-practice privacy risk monitoring and assessment framework. Using a sustainable and scalable model for compliance self-assessments also adds a layer of strong accountability, governance and quality assurance. Insurance firms should also be taking advantage of the efficiencies afforded by cutting-edge technology; automating the assessment evaluation and tracking processes will deliver real-time risk insights.
Record retention and destruction
Achieving GDPR compliance can and should be utilised a catalyst for digital transformation. Studies indicate that a huge 40% of data breaches are attributed to paper records, and considering the average cost of a data breach is $6.3 million, with an average customer churn rate of 6.4% as a consequence – the stakes have never been higher. Retaining unnecessary, historic physical records is not only expensive and inefficient, but is in contravention of GDPR.
The many thousands of boxes and millions of papers dispersed in different storage sites with limited inventory, as well as the complex data retention rules that govern their legality, make them highly undesirable. Partnering with an organisation with the ability to first provide pickup and extensive records cataloguing, and secondly to analyse records for personal data and subsequently classify out-of-policy records would be hugely valuable. Afterwards, firms should focus on digitising and indexing the content, destroying the leftovers – all while keeping on a system of ongoing maintenance.
Data-driven privacy compliance
Firms must look to unleash the value of unstructured data in order to meet sustainable privacy maturity and achieve GDPR compliance. The organisations with a firm understanding of the personal data landscape will go the furthest. However, with a staggering 70% of data residing in unstructured form, it is an extremely complex task. Key challenges include finding the right solution that employs new age techniques of identifying and associating data to individual identities, and adopting a sustainable framework for operational compliance.
An ideal solution would include deploying the right technology that scans data estate and automatically builds and maintains data flow maps. Next, undertaking a policy impact analysis to flag and alert non-conformances. Finally, deploying a risk based approach to policy enforcement with data treatment and remediation options such as deletion, anonymisation, securing and archival. This will not only reduce data exposure but also enable timely fulfilment of customer data requests.
Third-party risk management
Another decisive issue to be aware of is managing the risks that third-parties pose, and determining whether they add value or weaken the outlook for GDPR compliance. As much as 60% of all data breaches can be directly or indirectly linked to a vulnerability in an organisation’s supply chain. Furthermore, insurance companies have a complex network of third parties and are required to undertake multi-faceted due diligence at various junctures. Despite this, a large number of companies still make use of multiple spreadsheets and ad hoc processes to manage their third-parties. Instead, a holistic solution should be applied, that not only offers a centralised view of all third parties and associated data but also introduces a standardised methodology and a scalable framework to streamline risk assessment, leveraging deep automation. Secondly, the solution should enable rich insights and risk intelligence to enhance decision making and help demonstrate compliance with regulations such as GDPR, all while making it easy for the supply chain to ensure long term operational success.
Organisations should start with a short assessment blueprint to evaluate the maturity of their as-is third-party risk management processes and look to design an execution roadmap bespoke to specific business needs. Having a trusted partner to fully manage this transformation in third-party risk management space would greatly alleviate the pain points and allow you to focus on the outcomes.