What GDPR Means for Insurtech

After Solvency II, the European Union is ready for its next big and comprehensive regulation, called GDPR (General Data Protection Regulation). GDPR was approved by the EU Parliament in April 2016 and after a two-year grace period took effect in May 2018! The new regulation will replace the current Data Protection Directive 95/46/EC. Regulatory Landscape and Breaches The first key point of the new regulation is protecting all E.U. citizens’ data privacy with an extended regulatory landscape. New data privacy rules should be applied to all personal data of data subjects residing in the European Union, regardless of companies’ locations. With GPPR, fines for possible breaches were increased sharply, up to 4% of annual global revenue or 20 million euro (whichever is greater). Another radical change is that regulations apply to not just controllers, but also processors. So, cloud processors are also covered. Under GDPR, the data owner must give consent through a document that is understandable, simple and easily accessible. Withdrawal of consent for data usage must also be easy. With GDPR, breach notification will become mandatory and should be performed within 72 hours after the breach is spotted. Notifications must be to all affected data owners. The Key Point for Insurtech These changes are key for insurtech. Data security and privacy had seemed to be key concerns that would hold back insurtech, because of the dangers created by the increased use of connected IoT devices, real-time data collection and high profile cyberattacks. But customers will be much more comfortable with insurtech because GDPR will alleviate concerns about data privacy, without regard to a company’s scale. With GDPR, drivers of insurtech like IoT, machine learning and much more won’t be considered as possible tools for data breaches. GDPR will be a spontaneous trigger of insurtech!