Opinion: GDPR impact on Insurance Fraud

The new General Data Protection Regulation (thereafter “GDPR”), which is to enter into force on 28th May 2018 will have significant impact on companies with data processing especially in the insurance arena in the European Union (“EU”). The European insurance industry is heavily regulated and has always been overlooked by individual national authorities. However, due to the cross-border nature of insurance, the goal of the EU is creating harmonization through the new regulations, rules will become clearer, simpler, and easier to regulate.[1] The new regulation will protect consumer data based on four principles: Consent, Contract, Legal Obligations and Legitimate Interests[2]. Prior to the regulation, it was up to national laws to regulate the insurance sector. The economic and social integration resulting from the functioning of the internal market has led to a substantial increase in cross-border flows of personal data and thus a need for harmonization.[3] There are several articles within the new regulations whereby creating harmonization will create a burden on the insurance and other app providers and, hopefully, allow for more consumer protection. This brief will look at two issues that will impact insurance providers: privacy by design and the unified authority.

First: the new “Privacy by Design.” Now apps containing your personal information should be designed in a secure way. “Privacy by Design” now means that the app developers must protect personal data as a rule, not the exception. Thus, all apps need to be created in a way that ensures protection and limitation on the amount of personal data collected.[4] Apps should not collect more data than necessary and they must inform the customer that such data is being collected and gain consent.[5]

One issue that is still uncertain under the new GDPR is whether the new regulations actually go far enough to protect the consumer? Think about how many times you download an app and “consent” to the cookie collections or collection of data without ever even reading the fine print? But even if the consumer reads the agreement they don’t have any other option but to agree. The consumer is not in a position to bargain if they want to use the app. Thus, it seems the GDPR while creating a base level of protection that may not go far enough.

From the point of view of insurance providers, the regulations can make cross boarder access of information within the free market and identification of fraud claims more difficult. Without any ability to process or hold data under the new “Right to be Forgotten” clause, makes it difficult for insurers to carry out functions to detect such criminal actions.[6] However, thus far insurance fraud is only 10% of all claims brought within the EU.[7] A small price to pay to give consumers the right to have control over what information is dispersed. Furthermore, based on “facts sheets” released by the Commissioner for Justice, Consumers and Gender Equality, the “Right to be Forgotten,” which thus far has only extended to searches within websites such as Google, will be applying to the consumer’s right to have their data deleted within these apps as well.[8] If this is the case, it may also protect the consumer from the above “cookies” issue.

Lastly, the accountability under the new GDPR will allow claims to go to one unified authority. Previously, individual authorities had trouble communicating issues especially cross-boarder. This will take away from the confusion of having multiple authorities across the EU. This will make filing complaints much easier and streamline decisions, making it easier to police and create binding corporate rules across the border.[9]

The GDPR does lay the first uniform groundwork for privacy and data protection within the EU. The insurance industry will need to take proactive steps to become compliant especially in the area of data collection to prevent insurance fraud. The new GDPR will increase the responsibility and accountability for these industries in the way they collect personal data. It will only be via data protection risk assessments, data protection officers, and the principles of ‘data protection by design’ and ‘data protection by default’ that they will be able to provide services in a way that is compliant to the new regulations.

[1] Reform of EU data protection rules


[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) Article 6, (hereinafter “The GDPR”).

[3] Id at Preamble.

[4] Id at art. 6.

[5] Id at art. 25, “That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”

[6] “The new rules will also strengthen individuals’ right to be forgotten, which means that if you no longer want your personal data to be processed, and there is no legitimate reason for a company to keep it, the data shall be deleted.” Justice and Consumers


[7]Insurance Europe, Press Release https://www.insuranceeurope.eu/sites/default/files/attachments/European%20data%20protection%20rules%20could%20hinder%20fight%20against%20fraud.pdf (Oct. 2014).

[8] Justice and Consumers http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=52404.

[9] Id.