Recently there has been a lot column space devoted to the GDPR (General Data Protection Regulation) requirements and the potential penalties of non compliance. GDPR is the biggest change to EU privacy law for over 20 years and all member states and affected entities must be ready by the 25th May 2018.
The core rules are broadly the same as current regulations and they will look quite familiar to an expert eye, but the new regulations add a number of important new responsibilities on data controllers and processors. For example the right to be forgotten, data portability and right to restriction of processing. One major change is the consequence of non compliance, which could result in a fine of up to 2% of total global annual turnover or €10m GDPR EXPLAINED (whichever is the higher) being levied against an organisation.
The key question is how companies will cope with the new requirements, especially ones with legacy systems and manual processes. The industry is busy getting ready for GDPR across many areas and the level of investigation is very detailed. These are the types of complex questions that companies are having to ask themselves. Brokers and insurers may have the same data but there will be delays in updating that data due to the monthly/quarterly nature of the bordereau processing. Who should a customer ask to amend or delete information and how do all parties ensure this happens across all departments?
What consents do insurers and brokers need to obtain when processing data across different areas (new business, renewals, pricing, customer accounts, claims, etc.)?
How will insurers and Third Party Administrators share and use information to manage claims and reduce fraud especially where external data sources (e.g. social media) are used to detect fraudulent activity? External data sources (e.g. mobile phone number history, credit scores and IoT) are used to verify or support underwriting and pricing activities. What happens if a customer does not give their consent?
At Blocksure we have built an operating system for the insurance industry (Blocksure OS) which has been designed with GDPR and data privacy in mind from the start. The customer is in control of their own information and all sensitive data is protected by methods such as encryption, pseudonymisation and data minimisation. We have used the core features of blockchain to put customers in control of their own identity. They do this by authorising and revoking access to certain attributes of their personal information, on a per entity basis. This model reduces the burden of compliance with GDPR as entities only need to be able to amend and delete their copy of the data (which they are notified of by Blocksure OS) without having to be concerned about the entry, viewing, transfer or extraction of that data. Customers, intermediaries and insurers are all in sync via a smart bordereau, which transfers data real time. The personal details can be directly accessed via the use of a digital key by individuals and organisations without any dependence on or delay caused by a third party. Blocksure OS makes adherence to GDPR easier and reduces the scope for non compliance.
Chief Architect and Co-founder