Is it time for the UK insurance industry to take a united a stand against GDPR?
With less than six months until GDPR becomes enforceable, there is still no clarity on what lawful basis should be used for processing special categories of data and criminal convictions for the purpose of providing insurance.
GDPR requires organisations not only to have a lawful basis for each purposes of processing that they undertake, but also to tell the data subject what that lawful basis is at the time they collect the data. Operationally, this means having the correct documents, processes, procedures, systems and websites in place before the 25th May 2018, which is no small ask for any organisation, let alone one which traditionally works with multiple legacy systems and numerous third parties who are legitimately involved in the customer journey.
In order to implement the aforementioned processes, procedures and systems, the organisation must document all the purposes of processing and assign a lawful basis to each purpose. Simple so far as long as you have the right understanding, a decent plan and the resource to execute it.
The sticking point comes when you don’t have a lawful basis for the purpose of processing and this seems to be the case with insurance. Let me explain.
The GDPR defines specific lawful bases for processing personal data, but also provides different lawful grounds for processing special categories of personal data, if the organisation doesn’t align with these, then they should stop processing the personal data all together.
When it comes to the insurance industry, there are a number of lawful bases that could be relevant for processing personal data for the purpose of policy servicing and claims, such as the favourite «Performance of a contract» and arguably «Legitimate interests». However, when it comes to processing special categories or criminal convictions (which the UK government plan to treat as special category) there seems to be no lawful basis at all. This leaves insurance organisations with a situation in which if they follow the letter of the law, they should stop assessing health claims and they should stop selling travel, motor, life and health insurance, alternatively they could not use medical conditions as a pricing factor, just assume everyone is as sick as dog and charge accordingly.
No problem! I hear people say, we will just get consent. Organisations really seem to think this is the safest option, but I would argue this is not an option at all – if anything it is just as risky as processing the data without a lawful basis.
Anyone who has read the regulation will understand that there are strict criteria around when consent can and can’t be used. One of those conditions is that for consent to be valid, it has to be freely given, the regulation categorically states that it shall not be considered to be freely given if the the provision of a service or performance of a contract is dependant on consent, so there we have our problem. The contract cannot perform, the claim cannot be assessed, the service cannot be provided without the consent. Gaining consent for the purpose of providing an insurance policy goes against the spirit of GDPR, that is to give the data subjects real choice.
The insurance industry knows this is a big problem, the ABI, with support from many organisations, have lobbied DCMS to provide a new lawful basis for processing special categories of data, one specifically relating to the provision of insurance. As far as I am aware, although this has been occasionally raised as part of UK Data Protection Bill discussions, no action has been taken, no intent has been issued, nor has the ICO or ABI provided any further direction on the topic and as such insurers have been left in the dark with not enough time to implement changes if and when they do decide.
What to do?
First things first. I am publishing this blog in the unlikely hope that I have misinterpreted this section or that I have missed subsequent guidance and the issue has been fully resolved. Please comment if this is the case, if not read on.
I believe that the insurance industry should now come together and take a united stand and agree that they will create a new lawful basis for processing special categories of data in relation to the provision and performance of insurance business. Data processed under this lawful basis will be treated with all the expected safeguards of any special category. This in the interest of our customers.
GDPR was written to safeguard personal data and give the data subject genuine choice and control. If we are informing the data subject of how their data will be used, as per articles 12, 13 and 14 then we are acting in the spirit of GDPR. I appreciate that this does not follow the exact letter of the law, but given that this has clearly not been thought through when creating the legislation, I would argue that there is no alternative. Getting consent is not any more appropriate than any other lawful basis, so the other option is to shut down shop, stop selling insurance and don’t pay claims. Being pragmatic that is not what the customers, the UK government or businesses want – that was not the intention of the regulation.
Will we get fined? Well the question is, do the supervisory authority want to fine the insurance industry as a whole and create a market where insurance no longer exists? I don’t think so.
I believe that if you treat your data subjects fairly, safeguard data, be transparent and don’t use their sensitive data for anything you haven’t mentioned in the FPN, then there should be no fear in taking the matter into our own hands and using initiative. If anything this is a very sensible decision which allows all of us running GDPR programmes to just get on with implementing.
Please share your thoughts, is this a good idea? Have I missed something? How is your organisation tackling this challenge? I would be very happy to hear from you, especially if you have the answer to this question which keeps me awake at night.
Dominga Leone is Senior Data Protection Consultant with experience leading data protection programmes for multinational organisations across Europe.