Can InsureTech survive in the GDPR era?

Nowadays, technology has become an important and essential part of every day's life. The field of insurance makes no difference in this respect. Although such a vast and complex field is usually resilient to major changes, technology has made its way into the insurance market, more and more insurers being mesmerized by the significant benefits brought by the technological developments.

It is undisputable that technology has improved the overall quality of the services rendered by the insurers, by reducing cost and maximizing efficiency.

The most common trends in the insurance market are the implementation of artificial intelligence, the use of telematics (and other smart devices) and the use of the blockchain technology.

However, insurers must be cautious in using such technology, as GDPR introduces a series of obligations for the controllers, aimed at safeguarding the rights and freedoms of data subject. In the following paragraphs, we will address the most significant risks that the use of such technologies pose from the perspective of data protection.

Prohibition of automated decision making

The implementation of artificial intelligence, the use of chat bots and other AI technologies has made the insurance sector highly efficient in assessing individuals, concluding insurance contracts and even paying indemnities to the relevant parties. The most common practice of automated decision making is the "scoring" of individuals, in which, based on a certain algorithm, a computer program decides if a specific individual presents a high risk and whether an insurance policy may be concluded with him or her.

The same concept of "scoring" individuals is also used by the telematics devices. Telematics are similar to a plane's "black box" and are installed in the car of an individual, in order to assess their driving skills and determine the likeliness of the insured risk to occur.

Although no one can argue against the benefits of providing tailored solutions to the individuals, in respect to the insurance policies concluded, the lack of human intervention in the assessment process can pose significant risks for the rights and freedoms of the data subjects.

In accordance with article 22 of GDPR, the data subject "shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her". Working Party 29 ("WP 29") has stated, in the draft guidelines regarding automated decision making, that article 22 must be interpreted as a general prohibition of automated decisions making. As a consequence, any exceptions must be interpreted narrowly, and must provide sufficient safeguards for the rights and freedoms of the individuals concerned.

Paragraph 2 of article 22 of GDPR contains 3 exceptions to the general prohibition of automated decision making, provided that suitable measures to safeguard the rights and freedoms of data subjects are also implemented (i.e. at least the right to obtain human intervention):

a)explicit consent of the data subject;
b)authorization of Union or national law, provided that adequate safeguards are implemented;
c)the automated decisions making is necessary for entering into, or performance of a contract between the data subject and the controller.

The remedies at letter a) and c) are the most common in the insurance sector.

Although consent may be considered the "strongest" justification for automated decision making, considering the precise circumstances in which the consent is obtained from the individuals may affects its validity.

Specifically, considering the privileged positions of the insurer and the fact that, in most cases, the conclusion of the insurance policy will be dependent of the consent of the data subject, it may be argued that such consent is not freely given. Moreover, conditioning the service provided from the consent of the data subject also renders such consent invalid (e.g. if insurers would only concluded car insurance policies on the basis of telematics devices).

Therefore, the most likely exception to apply in the insurance sector remains the necessity of entering into, or performance of a contract. However, WP29 emphasizes the fact that "necessity" should be narrowly interpreted. In most cases, insurers will have to conduct a DPIA, in accordance with article 35 paragraph 3 letter a) of GDPR, in which other less intrusive methods must be taken into account. If other methods exist, and do not pose a significant financial burden on the insurer, the "necessity" criteria is not fulfilled. As such, the economic interest of the insurers, the efficiency and consistency arguments are not, in principle, sufficient in order to justify automated decision making.

Finally, with respect to the human intervention, this has to be more than a simple oversight of the automated decision making process. The persons involved must significantly influence the process and give meaningful insights with respect to the results of the profiling process (e.g. a person correlates the scoring results with its own assessment and decides on the basis of the aggregate result, whether a policy may be concluded with that individual).

Although the use of telematics is not new to the global market, certain geographic regions have only just began to adopt telematics for car insurance policies. The telematics devices collect a high volume of personal data regarding the driver such as: location, driving speed, acceleration, cornering, braking and in certain cases even event occurrence (e.g. when an accident occurs, based on the assessed gravity, the relevant authorities are immediately notified). Based on the data collected, a special algorithm assesses the likeliness of the insured risk to occur, and adapts the premium of the insurance policy accordingly (in certain cases the scoring process may also result in a refusal to conclude new or renewed insurance contract).

Data minimization, accuracy and storage limitations with respect to the use of telematics

Certain categories of drivers were considered to present a "high risk" without being subject to any individual assessment (e.g. young drivers). Telematics devices will enable insurers to assess the concrete risk, thus adapting the insurance policies to the actual driving skills of the insured persons, irrespective of their age or other immaterial criteria. However, certain concerns must be raised with respect to the compatibility of such devices with the provisions regarding data protection. the appropriate technical and organization measures have been implemented in order to safeguard the rights and freedoms of the data subjects. In the light of the above mentioned principles, the purpose of a telematics device is to assess the likelihood of the insured event and to adapt the insurance policy accordingly (e.g. higher premiums, risk exclusions etc.). Consequently, keeping the device active for the entire duration of the insurance policy (permanently monitoring the driver) would exceed this purpose and would be in violation of the above mentioned principles.

Moreover, a relevant aspect, often not addressed by the insurer is the accuracy and storage limitations of the profiling data collected. The human individual is highly dynamic, and their driving style and abilities are, likewise, constantly changing. Therefore, could there be any reason for keeping the data after the conclusion of the insurance contract? Most insurers would argue that such data is necessary for the renewal of the insurance policy, but it is highly unlikely that such data would be accurate after a significant period of time. Moreover, since the relationship between the insurer and insured person is mainly of contractual nature, it is doubtful that the pre-contractual circumstances

Specifically, the principle of data minimization must be strictly observed by the insurers. The telematics devices collect a huge amount of personal data, in an indiscriminate manner. However, not all data may be relevant for the intended purpose of the insurer. For example, the insurers must assess whether all types of collected data are strictly necessary for the scoring process, whether the duration of collection does not exceed the intended purpose and whether have to be stored after the conclusion of the contract, as the understanding of the parties will be the contract itself and all pre-contractual elements would already be included in the contract (implicitly or explicitly). In cases where the third party liability insurance is vehicle anchored (i.e. there are multiple drivers), additional aspects must be taken into consideration. If all the potential drivers are assessed by the telematics devices and their scores are used in aggregated form, such data would not constitute personal data and would be excepted from the GDPR. On the contrary, if not all drivers are assessed, the necessity of the telematics may be challenged, and therefore, may be in violation with the provisions of the GDPR. Such situations will have to be assessed on a case by case basis.

Indeed, the fact that no operation can ever be deleted or removed from the block chain offers tremendous security and trust in such technology, especially in the highly sensitive sectors such as banking and insurance. However, its most recognized quality may also be its greatest threat, as it is difficult to anticipate how this technology will reconcile with the right to be forgotten, introduced by the GDPR, but also with the principle of accuracy.

Article 18 of the GDPR states that data subjects may request the erasure of the personal data concerning them. No straight forward exception applies to the blockchain technology, so if data subjects exercise their right to be forgotten, what should the controller which is faced with this impossible task do? But what if the records are false or erroneous?

Finally, one of the most discussed and controversial technology topic at this moment remains the blockchain technology together with smart contracts. More and more companies from various sectors are drawn by the benefits that this technology offers, such as impenetrable security (at least at this point) and transparency.

The dawn of blockchain

These questions do not have a specific answer at this point. In practice, one of the solutions proposed in order to overcome such conflict was the encryption of personal data uploaded in the blockchain. Indeed, if only the data subject holds the key to such data, enforcing the right to be forgotten on other controllers would not be necessary. However, whereas uploading encrypted information over block chain has the role of ensuring safety of such information (like an indestructible vault), it neglects many of the other functions of such technology (such as transparency).

What remains certain is that block chain technology is here to stay, especially considering the benefits of such a technology. Therefore, it is the task of the European legislator, as well as of the developers, to implement, agree and develop adequate measures in order to reconcile the block chain networks with the relevant provisions regarding data protection (perhaps by introducing relevant legal exception or creating alterable block chains).

So what now?

The pace with which technology takes hold of our lives is overwhelming, and it is highly unlikely that this progress can be stopped (would we even want that?). So, how can controllers minimize the risk of heavy fines? The only reasonable answer is: balance. Given the high risk that technology poses to the rights and freedoms of individuals, a balance must be struck between the benefits of tech and its risks.

In this respect, it is foreseeable that in the near future DPIA's will become a frequently used mechanism to address and mitigate the risk from the constantly developing field of technology. Although most companies will be reluctant, they will eventually have to allocate significant resources to carrying out DPIA's, especially if their internal business processes are keeping the pace with the development of new technologies. The only question that remains is: what is worth spending for a company to avoid a 20 million Euros fine?

CIPP/E, Associate

33 Dionisie Lupu Street
RO-020021 Bucharest
Phone: +40 21 264 16 50
Fax: +40 21 264 16 60

Related articles


Insurance digitalization: how to avoid disapointment?

Price pressure is the biggest barrier to revenue growth, said almost half of the 46 global insurers interviewed by Simon-Kucher & Partners for the 2017 Global Pricing and Sales Study. A third of them also stated that most planned price increases are slashed or not implemented at all.


How technology impacts the insurance sector

Rather than merely adding value to the insurance sector, technology and technical innovations are now determining its very growth and evolution. The last few years have seen mobile devices, GPS functionality and social media engagement impact hugely as to how insurance claims are processed by companies and policies assessed by insurance agents. Analysis of data and the value of legitimate customer interactions is more important than ever and have helped insurance companies to maximize profits while keeping the customers happy.


FRISS: Uncovering insurance fraudsters

If you compare the insurance fraud business to other types of business, it pays off to commit insurance fraud. The benefits are great, the chances of being caught are low, and the sanctions you get once caught are low as well. So, whether working in the claims, financial, underwriting or SIU department; you will all deal with fraud at some point. And it does not stop at an organization or a border. Fraudsters do market research. They use different modus operandi, use different insurers, fake identities; just to make sure that they don't get caught.


Technology and data: Focus on the good we can do

Technology. The press is covering it, everyone is talking about it and we, as an industry, are spending time and money investing in it. For all this reasons and more, we will shortly talk about this topic at our Swiss Re L&H Conference in Warsaw in May: "Think tomorrow! Innovative solutions for our industry."


Insurance is the industry most affected by disruptive change, according to PwC

Insurance is the industry most affected by disruptive change - based on the percentage of CEOs who are 'extremely concerned' about the threats to growth from over-regulation, the speed of technological change, changing customer behaviour, and competition from new market entrants, shows the 20th edition of the PwC Global CEO Survey.


Reducing the loss ratio by effectively detecting insurance fraud

Insurance fraud is a serious issue for the entire insurance sector. Payment of fraudulent claims has a negative effect on the loss ratio and on insurance premiums, which results into a competitive disadvantage. Moreover, investigating 'false positives' takes a huge amount of time and unnecessary costs. Fraudsters are getting smarter in their attempts to evade the insurer's radar. As a consequence, money flows to the wrong people and thus combined ratios are under pressure. Insurance companies must detect insurance fraud before claims are paid. The best way to reduce the loss ratio is to increase the chances of fraud detection at claims and limit false positives to a minimum. 


Innovation - the right response to the technological challenge

The driverless revolution in the auto industry is already buzzing along city streets around the world, in a variety of tests and trials—and not just for cars, but for 18-wheel delivery trucks loaded with beer. Yet the excitement surrounding the emergence of autonomous vehicles tends to overshadow another tech revolution underway: the addition of dynamic cognition layers that will enable cars to care for human comfort, information and entertainment preferences in new and unimagined ways, say the Watson IoT team.



Fraudsters are getting smarter in their attempts to evade the insurer's radar. As a consequence, money flows to the wrong people and thus combined ratios are under pressure. Insurance companies must detect insurance fraud before claims are paid. The best way to reduce the loss ratio is to increase the chances of fraud detection at claims and limit false positives to a minimum.


Professional Requirements Engineering as a Key Factor for Successful Software Projects

In order to help your IT projects to succeed in time, budget, and scope, Requirements Engineering is a key success factor. Professional RE employed in a project or compa-ny-wide relies on trained Requirements Engineers. With increasing degree of maturity the use of IT tools built for Requirements Engineering become a critical factor in order to fully profit from automation aspects to save further costs and time.


Requirements Engineering and Legacy Systems

In order to remain competitive in the market, for example by a fast introduction of new insurance products, the legacy systems have to be modernized or replaced sooner or later. For this task, three alternatives were introduced with their advantages and disadvantages. All alternatives rely on a successful IT-Project.
In order to help them to succeed in time, budget, and scope, the professional application of different Requirements Engineering techniques are a key success factor.



WTW appoints Patrick MURPHY as Global Head of Cargo & Specie

Willis Towers Watson (WTW) has appointed Patrick MURPHY as Global Head of Cargo and Specie, within its Marine, Corporate Risk and Broking Division. He will be responsible for client management, technical, placement and risk management specialists to support WTW marine clients in risk mitigation.


"Insurance and Pensions reloaded" - the 7th EIOPA Annual Conference

The 7th EIOPA Annual Conference takes place today in Frankfurt am Main, Germany. A review of the current supervisory covergence issues and of the prospects of the Pan European Personal Pension Product are on the event's agenda, together with analyzing the ways in which regulation may enable innovation.



"IIF2017 - Insurance in the DIGITAL World" Conference took place in Vienna

"IIF2017 - Insurance in the DIGITAL World" conference brought together in Vienna well-known insurance professionals from all over the world who analyzed the latest digital trends in the industry, taking into account the fast digitalization of the financial services providers' world, in particular in the insurance field, which is creating both huge opportunities and strong challenges for the players.



Croatian Insurance Days Live

On 9 November has started in Opatija, Croatia, the 2017 edition of the Croatian Insurance Days Conference, the traditional meeting of the Croatian insurance top professionals with their European peers. XPRIMM Publications are supporting the event as Media Partners.



The 2017 Baden Baden Meeting: Short recap

The Baden-Baden meeting, one of the key events in the reinsurance calendar, has just set the final point of this year's edition. XPRIMM Publications have reported from the meeting's premises. Let's recap!


Baden Baden Headlines 3: CEE insurance markets are attractive for reinsurers

Central and Eastern Europe insurance markets are an important source of business for Lloyds, total premium income from this region increasing by EUR 64 million since 2010, pointed out the Lloyd's representative in a seminar dedicated to CEE insurance markets: "We are seeing strong growth from Czech Rep, Poland, Slovakia and Ukraine. At the same time are some contractions from Russia, Bulgaria, Romania and Hungary due to challenging trading conditions as political implications and other sanctions".


Baden Baden Headlines 2: cyber insurance market set to grow under regulatory presure; nat cat events more frequent, but losses per event are decreasing

Asian insurance market, especially the Indian market - are considered to be "the new El-Dorado" of the global re/insurance market, with rapidly expanding markets and an dynamic environment: "Indian P&C re/insurance markets are expected to grow at a pace of 15% per annum", according  to Victor PEIGNET, CEO, Global P&C, SCOR SE. The French -based reinsurer setted-up its Indian branch in 2016, after the authorisation from the local market authority - IRDAI. India's re/insurance market has become more attractive for global companies following the relaxation of regulatory requirements, and lately, "big names" in the industry entered the market by opening branches: GEN Re, SCOR, Lloyd's of London, MUNICH Re, SWISS Re, Reinsurance Group of America (RGA), HANNOVER Re, XL Catlin and others.


See all