Banking and finance dispute resolution
For the latest news and comment on banking and finance disputes.
For the latest news and comment on banking and finance disputes.
For all the latest news and comment in clinical negligence healthcare law
This collection looks at the latest news and comment on commercial contracting healthcare law. With the health and social care sector under…
For all the latest news and comment in employment and pensions healthcare law
For all the latest legal and regulatory news and comment in health technology
This collection contains DAC B eachcroft's latest report, The Route to Integrated Healthcare , which provides the first practical examples of how…
This collection looks at the latest strategic, commercial, regulatory and negligence legal and advisory news and comment in health and social care. …
For all the latest news and comment on employment and pensions law.
DAC Beachcroft Dublin specialises in insurance, professional indemnity, defendant personal injury, health, commercial litigation and employment work.…
For all the latest new and comment in tax law.
The GC Collective collection offers insight and comment for General Counsels (GCs) and in-house legal teams.
For the latest news and comment on Corporate, M&A and Equity Capital Markets.
Analysis, commentary and checklists on the legal and governance implications of Brexit on businesses operating in, and trading with, the UK
The Accountant's Liability Collection brings you topical news and insight of interest to accountants, actuaries, trustees and other financial…
Events and online training for the health and social care sector.
DAC Beachcroft's LatAm Quarterly Newsletter discusses topical news and issues in Latin America
In response to client suggestions and requests, DAC Beachcroft's insurance sector flagship publication.
For all the latest legal and regulatory news and comment in health and social care integration
For all the latest news and comment in corporate regulatory healthcare law
Find advice, commentary and thought leadership on all aspects of Director's & Officer's Insurance; from contract formation through to complex…
This collection looks at the latest news, comment and development on the law affecting mental health services. The law affecting mental health…
Our market-leading Information Law team regularly publish articles and updates addressing the ever-evolving Information Law landscape.
This collection looks at our Safety, Health and Environment Team and the products and services they can provide. In the climate of increased…
The Insurance Act 2015 comes into force in August 2016 and will represent a significant change to insurance contract law in this country. This…
Legislative changes are bringing major changes to the Insurance landscape. This collection houses DAC Beachcroft's alerts on the pertinent issues.
For all the latest news and comment in clinical regulatory healthcare law
Organisations face ever-increasing expectations from Government, regulators, customers or service users, and other stakeholders, so scrutiny and…
For all the latest legal and regulatory news and comment in healthcare estates and facilities management
This collection addresses the full spectrum of cyber security and data risk management – the zeitgeist of our age.
We have acted for clients in the majority of significant product liability cases that have been decided in the UK over the last 35 years. Our product…
Considering the future landscapes of our cities
The European General Data Protection Regulation (GDPR) came into force on 25 May 2016. A rewrite of European data protection law, the GDPR imposes…
Considering the future of housing
For the latest news and comment on public procurement law.
Welcome to the Construction Risks collection. This space is used to report upon issues of interest to those who seek to allocate, manage and reduce…
Technology, brands and intellectual capital are key assets for any successful business. Our intellectual property (IP) team are experts at helping…
Considering the future of retail
The Insurance Market Conditions and Trends report is DAC Beachcroft's insurance sector flagship publication. Now in its tenth year, the report…
The Solicitors' Risk Collection addresses issues and developments affecting legal practitioners, and the professional indemnity insurers of legal…
Published On: 21 June 2016
The new rules on profiling are likely to be one of the areas of the General Data Protection Regulation (GDPR) which will significantly affect the insurance industry, particularly in respect of big data projects. In the first of DAC Beachcroft's "deep dives" into the GDPR, we examine this new right for data subjects and the potential impact it will have on the insurance industry.
A new concept
This is a new concept under data protection law and covers:
“any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that person’s performance at work, their economic situation, health, personal preferences, interests, reliability, behaviour, location or movements” (Article 4 GDPR).
The scope of the definition is wide enough to capture almost any analysis of an individual carried out by automated (electronic) means. In the insurance industry, this will include any underwriting, direct marketing, targeted advertising and e-recruitment processes which are performed electronically, rather than by a human being.
The Data Protection Directive (95/46/EC) ("Directive"), transposed into UK law through the Data Protection Act 1998, had a more limited right to object to automated processing. The new concept of profiling and the related right have more far reaching consequences.
A new right
The GDPR introduces a new right not to be subject to a decision based solely on profiling which produces legal effects or has a similar, significant effect (Article 22).
That right can be broken down into 3 important elements:
All three of the above elements must apply in order for a data subject to benefit from the right.
Exemptions for profiling
The right does not apply to profiling using personal data if any resulting decision is:
If a data controller seeks to rely on exemptions (1) or (3), they must implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests and at least give the data subject the right to obtain human intervention, to express his or her point of view and to contest the decision. This could result in insureds questioning the reasons for policy eligibility decisions or premium pricing.
Exemptions and the Insurance Industry
In practice, the insurers and brokers could ask for consent from data subjects to carry out profiling they undertake. The profiling which is strictly necessary for the performance of the contract (i.e. the original underwriting risk analysis) could be a prerequisite of entering into the insurance contract. Any additional profiling, whether for market analysis or targeted advertising would need to be an optional choice for the data subject as it is foreseeable that requiring consent to this additional profiling will lead to challenges as to how how "free" the data subject is to give his or her consent (which therefore questions, if the consent is valid at all). Similar issues have arisen in the context of an employee providing consent to his or her employer; it is now widely acknowledged that such consent is rarely valid due to the imbalance of power.
However, there is much profiling undertaken by the insurance industry which falls somewhere in between the profiling which is necessary for the contract, and that where the insurance industry can feasibly (albeit reluctantly), ask for consent. Of particular concern is about the profiling that the insurance industry undertakes for fraud analysis. It is difficult to say that this profiling is strictly necessary for the contract, but nor can the insurance industry feasibly ask for consent, if data subjects need to be given the option to say no. However, as a matter of public policy, it seems a strange effect of the GDPR that such fraud analysis, which is in the public interest and keeps insurance premiums affordable, should be made essentially unlawful under the GDPR.
In the absence of any legislation over the next 2 years which expressly permits the insurance industry to undertake such automated fraud analysis, the only argument open to the insurance industry that this profiling is necessary for the insurance contract. Without it, premiums would be too high. We would hope that with appropriate explanations of this given to data subjects by the insurance sector, before policy inception, the regulators would agree with this approach.
We have no such solution to any profiling undertaken on third party beneficiaries, who are not party to a contract with the data subject, but merely benefit. To undertake any kind of profiling on these third parties, the insurance industry will need explicit consent. The burden of being able to demonstrate that you have such consent from that third party will be another problem for the insurance industry, who will not necessarily have a direct line of communication with those data subjects.
Profiling using sensitive personal data
There is an absolute restriction on profiling using sensitive personal data unless the data subject has given explicit consent or it is necessary for reasons of substantial public interest.
This will leave certain sectors of the insurance industry with no option but to require consent to profiling as a condition to obtaining cover. An obvious example is health insurers who inevitably must profile using sensitive personal data in order to underwrite a health policy. Less obvious examples include profiling using sensitive personal data relating to criminal convictions (e.g. for a motor policy).
In the event that a data controller is able to profile in compliance with a data subject's rights, there are yet more obstacles to overcome.
A privacy notice must refer to the existence of profiling and provide meaningful information about the logic involved, as well as the significance of it and the envisaged consequences.
Data controllers will need to carefully craft privacy notices. A balance will need to be struck between (i) providing enough information to meet the requirements of the GDPR and (b) providing information which is meaningful (and therefore not over-detailed or technical).
There are additional obligations on data controllers who carry out profiling activities which are spread throughout the GDPR. These include obligations to:
The Practical Effect
In practice, these restrictions on profiling could lead to multiple consent boxes on proposal forms. For example, a broker selling a travel policy may need to include separate consent tick boxes for its customer's agreement to:
(i) terms and conditions;
(ii) consent for profiling using health data as part of the underwriting process;
(iii) consent for profiling using health data for marketing of other insurance policies.
To the extent profiling is undertaken on third party beneficiaries, we anticipate that they too will need to sign and return such consent notices.
Insurers and brokers should consider which consents they require and start implementing GDPR compliant consent requests well in advance of 25th May 2018.
One way to achieve greater engagement from customers will be to highlight the "value exchange" which occurs when their personal data is collected. Numerous studies have shown that the reason why individuals share data with social media sites or loyalty schemes is because they see the value that they get in return. If they share personal data with a social media site they will be able to communicate with their contacts; if they share data with a retailer they will receive tailored discount offers. The data subject is providing their data in order for a readily identifiable benefit.
Unfortunately, insurance doesn’t always have the same attraction. However, there is work that can be done to educate customers about the uses that insurers and brokers make of their data to illustrate the value exchange. One area of particular concern around the use of profiling in big data projects is that underwriters end up with so much information about a particular person or class of persons that they become uninsurable.
However, there are examples of exactly the opposite occurring and big data being used to make the uninsurable insurable again. For example, a telematics box designed specifically for individuals with criminal convictions who might not otherwise have been able to readily obtain motor insurance.
Publicity of these sorts of profiling activities will serve to highlight the value exchange that insurers and brokers can offer.
Leniency from the UK legislature?
Members States may restrict the scope of data subject's rights in a number of circumstances.
Those of particular relevant to the insurance industry include:
It will be for the UK government to provide data controllers with such additional exemptions via national legislation. The insurance industry would be well advised to lobby for such exemptions now.
What does all this mean for profiling post GDPR and what should you be doing now?
Profiling under the GDPR will undoubtedly be more difficult; although not impossible. There are a number of steps that insurers and brokers can take now which will either serve to take profiling outside of the scope of the right or ensure compliance.
Steps to take profiling activities outside of scope
Steps to ensure compliance
Submitted by Rhiannon Webster, Partner and Jade Kowalski, Solicitor