The GDPR and the modern insurance underwriting practice : an analysis of the success or failure from an industry perspective

Abstract

Insurance business is a long standing risk transfer mechanism that has traditionally been left to operate on a voluntarily basis with little intervention from the governing bodies. Lately however, the insurance industry has been captured in a net of laws, regulations and rules and has been closely watched by governments, authorities and other bodies that seek to ensure companies in the financial world operate fairly and honestly and that the interests of its shareholders are safeguarded. One of such regulations is the General Data Protection Regulation (GDPR) and concerns the protection of consumers, who in the context of Chapter 1 Article 4(1), are referred to as data subjects (European Parliament and Council, 2016). As of 25th May of 2018, the General Data Protection Regulation (GDPR) applies and organizations are being asked to handle data with due care. The responsibility of collecting, processing, storing and deleting data has been shifted onto the data controllers and processors, so much so that huge fines have been imposed for related breaches. This effectively means that now, insurers, reinsurers and other market players involved in the handling of data will need to develop a way to operate and organise data in a seamless transparent manner. This however, could mean that the risk bearers will be compelled to dilute the type of data they gather to the detriment of underwriting quality (Insurance Journal, 2018). The market has moved from a position where the data subjects held few to no rights or control over their own personal or sensitive data, to one where the data of the data subjects is protected by virtue of rules and regulations, highlighting a development trend through the years. Therefore we find that, today, organisations require legal, technical and organisational expertise to ensure compliance with these emergent requirements (Robles, 2018). This aspect is questioning the type and role of employees required by the modern insurance business as it will require stricter rules affecting underwriting (and claims) processes. There are onerous rules on how information is collected, processed, stored and kept, making the already complicated business of insurance more cumbersome especially due to the number of stakeholders involved in underwriting practice. All of this comes within an economic environment which is increasingly challenging, placing a greater burden upon market players to invest in regulatory compliance (Reactions, 2018). From the consumers’ perspective, consumer rights have been protected through making data controllers and data processors accountable for the adherence to GDPR requirements (Lachaud, 2018). Th is paper will explore how the new GDPR has impacted the industry with a special reference to Malta from where data has been collected post 25th May 2018, nearly two years aft er the GDPR launch. Expert interviews with a number of insurance market players were conducted during a four month research period, posing interview questions that explore how the fine-tuned GDPR principles are affecting the operations of insurance in Malta.