Data protection and artificial intelligence in the insurance industry
The insurance industry handles a large flow of policyholders’ personal data, so its processing must comply with the General Data Protection Regulation, especially because much of the data it processes is considered special category data.
On the other hand, since it carries out large-scale data processing, the incorporation of new technologies represents a great competitive advantage and, at this point, the incorporation of artificial intelligence becomes especially important, offering incredible solutions and helping to manage all processes more efficiently, thus being able to offer a better service to users.
The purpose of this article is to outline the main obligations of the insurance sector in terms of data protection, especially when it incorporates artificial intelligence in its processing, since this technology involves a more invasive treatment for the privacy of data subjects.
How to avoid data protection penalties in the insurance industry
Recently, the French data protection authority (CNIL) fined a French insurance company €1.75 million for violating essential requirements of the GDPR, such as not complying with data retention periods, storing data indefinitely, and for failing to comply with the information obligation of art. 13 GDPR, by not providing basic information on data protection when contacting data subjects.
These penalties are very common, but if you follow these tips, in addition to those we publish each week in our #SeiftiTips section, the chances of this happening are greatly reduced. These measures are essential to protect the personal data of data subjects, and they are as follows:
-Keeping a Treatment Activities Register.
-To obtain the express and informed consent of all policyholders.
-Introduce clauses on data protection and confidentiality in contracts with employees and third parties, since insurance companies work continuously with other professionals (mechanic shops, hospitals, funeral homes, insurance brokers, etc.) to whom they transfer the data of the data subjects; likewise, the data subjects must be informed of this transfer.
-Establish technical and organizational measures to ensure the security, confidentiality and integrity of the data.
-Conduct risk analysis and impact assessments when necessary.
-To have a quality privacy and cookies policy, where the rights of the interested parties and forms to exercise them easily are clearly stated.
-Drawing up contracts with the data processors to whom the insurance company or brokerage firm transfers the data, establishing the main obligations to comply with the data protection of the interested parties.
-Notifying the supervisory authority of security breaches when appropriate.
-Appoint a Data Protection Officer when appropriate.
-To duly inform users about the main issues related to the processing of their data and about the rights they can exercise.
-Proceed to the deletion of the user’s data in the event that the insurance policy is not taken out.
-Conduct periodic audits to check whether security measures are still adequate or whether they need to be strengthened.
-We recommend not to exchange user data with other companies, however, this will depend on each situation, whether the user has been informed, and the security measures implemented for this purpose.
As you can see, there are quite a few measures, but we advise you to comply with all of them, as failure to do so will be more costly to repair the damage caused.
Artificial intelligence and insurance companies
Did you know that a healthier lifestyle can reduce your insurance premium?
This is thanks to the incorporation of artificial intelligence into the business process of insurers, because thanks to the processing of the personal data provided, they obtain statistics and calculate the probability of the production of claims and, based on this, the policies are more or less economical.
According to this report by The Economist, more and more insurers are opting to incorporate artificial intelligence into their business. This is undoubtedly a great step forward, but the “negative” part is that the key for artificial intelligence to be effective is information, i.e., the more personal data it is provided with, the better it will be at managing clients’ portfolios, offering extraordinarily personalized products.
Artificial intelligence is a great advance, but it also involves an excessive intrusion in the privacy of users, therefore, the fundamental right to data protection requires limiting the use of artificial intelligence in certain senses. According to the Spanish authority, this limitation corresponds to the data controller who is the one who makes the decision to incorporate – or not – artificial intelligence to its processing and the purpose of these, so it must be diligent when selecting this method, especially when profiling a natural person or if it makes decisions about the same.
In short, if you are going to incorporate artificial intelligence into your business, you must be extremely diligent and comply with the minimum conditions set out in the GDPR, which ensure that the processing is appropriate and safeguard the privacy of data subjects.