New regulations are soon to be introduced that will dramatically alter the relationship between customers and insurers. Allianz Group Chief Privacy Officer Philipp Raether explains what’s going to change and what it means for you and us...
New Data Privacy Regulations
With most of us present in the online world, privacy is a luxury these days. The digital world is now so ingrained into our daily lives that it is easy to forget how recent a phenomenon it is.
It was only in 1969 that the first computer-to-computer message was sent via the ARPANET network. It would still take more than 20 years before this would become the rudiments of the Internet in the early 1990s.
In digital terms, that was the Dark Ages. Google didn’t exist, Steve Jobs was still in school, and the mouse had only been invented a few years before – although most people would not have known what to do with it. Yet, somehow back then, in 1970, the German federal state of Hessen had the foresight to pass a data protection law. The complexity of the digital world has expanded exponentially since. Smartphones and the cloud have untethered us from PCs, enabling us to access constant streams of information on-the-go. But it also means information about our activities are being continually collected. This gathering, processing and exchange of data have become valuable daily activities for most businesses.
When the General Data Protection Regulation (GDPR) comes into force in May next year, the European Union will have dragged the notion of data privacy into the 21st century. European countries already have privacy regulations in place, but the GDPR takes it to the next level and fundamentally changes the whole data lifecycle. The GDPR introduces more protection for individuals ("data subjects" as they are known), more privacy considerations for organizations — and stiffer penalties for violations. Significant breaches could even lead to fines of up to 20 million euros, or 4 percent of a company’s global annual turnover for the preceding year.
For example, for a company like Allianz – with a global annual turnover of approximately 120 billion euros for 2016 – a serious breach could mean a maximum fine of 5 billion euros!
Privacy by design, privacy by default
Back in the 1990s, personal data (such as name, address, phone and account numbers, email and IP addresses, etc) was already protected under a right of data protection, but the GDPR has strengthened this data protection right substantially. It gives us a basket of new rights over personal information, including the right to be forgotten and data access and portability.
For example, from May next year, any person living in the European Union — not just EU citizens — can request their personal information be removed from corporate databases in a timely fashion, or know the reason why not. This includes all data, even backups. The GDPR also expands the definition of “personal data” to include “tracking data” such as cookies, mobile device identification and it requires consent per purpose.
This consent must also be informed, unambiguous and freely given. The GDPR also requires that companies obtain additional explicit, informed and unambiguous consent from people if they want to uses the data in a new manner. And that consent can be revoked any time.
At its essence, the GDPR seeks to embed a “privacy by design and privacy by default” approach. Privacy by design means each service or business process that uses personal data must prioritize data privacy throughout the entire lifecycle. This means data privacy needs to become a company-wide norm, especially as companies will need to show that they have adequate security in place and that compliance is monitored.
Privacy by default means that the strictest privacy settings automatically apply once a customer acquires a new product or service. There is also a time restriction to this, as personal information must be kept only for the time necessary to provide the product or service.
The New Rules
Commonsense data collection
The GDPR is really introducing commonsense data security ideas: minimize personal data collection, delete personal data that is no longer valid, restrict access and ensure data security throughout the lifecycle. At its heart is the notion that having access to personal information is a privilege and so, companies must act with great responsibility.
While this sounds straightforward, there are typically many moving parts involved in data handling and the GDPR imposes stringent requirements on compliance - and it is not just European companies affected. It also addresses the export of personal data outside the EU, such as for offshore processing. So it has international implications too. Also, if an e-commerce website outside Europe collects or processes data on EU residents, for example, then too the GDPR requirements apply.
Indeed, the biggest change GDPR brings for companies is accountability. This is particularly relevant for insurers as the data explosion in recent decades has provided greater insights into customers. The data collected has enabled more accurate underwriting so as to create and implement effective policies. There’s also the evolution of technology with new fields such as telematics and remote health monitoring. Insurers will need to be highly cautious to ensure personal data gathered from all such sources is used and stored in a transparent and responsible way, and with the customer’s complete understanding.
How Allianz is preparing
At Allianz, we have undertaken a three-year, multi-phased program to ensure GPDR compliance across the group. As a part of this, Allianz is implementing comprehensive and binding rules relating to the transfer of any personal data. For us, the requirements of the GDPR match our digitalization efforts. This opportunity allows us to harmonize systems across the group to reduce complexity and improve efficiency.
In the future, as in the past, Allianz will continue to ensure the privacy of our customers remains our priority.
Forward Looking Statement disclaimer
As with all content published on this site, these statements are subject to our Forward Looking Statement disclaimer: