GDPR and the insurance industry

The angel sitting on my right shoulder is saying go with it, ‘smile and wave’ (film reference), the devil on my left shoulder says this is nonsense. The GDPR is about our rights as individuals, irrespective of industry sector, there is no difference between them. You cannot look at them differently.

What do you think?

Anyway, ‘let’s crack on then’ (film reference).

For this blog we’ll look at the Insurance sector: I worked in Insurance for over 20 years. For the last 10 years it was all about privatisation and a trail of mergers and acquisitions, offshoring, cost cutting, regular job losses, a running down of skills, knowledge and support. ‘Luxury’ (TV reference) I hear you say.

Anyway, recalling those points, a picture of certain areas of GDPR risk starts to form - inherited systems and data with little or no supporting knowledge or process. Nothing gets deleted: I installed the first Princeton Softech (now IBM) data archive solution in the UK for my employer at that time, but I recall talking to another major insurer, around 2009, who admitted they had never deleted anything from the day they opened!

The broader picture: The likelihood of heritage (I’m calling it heritage now rather than legacy) mainframe-based technology with a lack of skills/knowledge. Data being transferred out of the country. Loss of central control. Loss of process.

What I have also seen first-hand (with regards to the GDPR) is management in the acquired company paralysed and unable to make decisions, because they are waiting for big brother to tell them what to do.

So, heading into GDPR compliance, we are looking at a raft of inherited issues that now present imminent risks to compliance. You thought you could ignore the problem and it would go away. Guess what? ‘You’re gonna need a bigger boat’ (easy film reference).

There isn’t going to be an easy answer to the culture change required, the re-engineering of process, or the work needed to analyse all this, just as a start. £10K will not get you there, one organisation had budgeted that for its whole GDPR project (‘smile and wave’). How much might annual compulsory training cost to design, build and implement?

What we continue to see are organisations in denial, for example just this week, we’ve had the challenge that a client wants to continue to provide us with unmasked production data for testing and we have been told to ensure GDPR compliance. To some extent this may be middle managers who are not getting leadership or direction around compliance (or perhaps the wrong leadership), only interested in their own world and throwing the problem over the fence.

For us, as a data processor, it reinforces the policies, governance and processes we will need to continue to update to mitigate our risk, and the education we need to provide to our clients to appreciate their own risk, accountabilities and responsibilities.

In terms of business benefits, we have spoken before about the opportunity to get your data in order and start to use your most valuable asset to innovate and move the business forwards with an engaged audience. Think also about the reduced costs in no longer supporting all the ‘stuff’ you don’t need.

If you have questions or need help with your GDPR projects/programmes, then we can help you. Visit the website for further details https://www.uk.sogeti.com/services/gdpr-services/

I nearly forgot the film references - easy ones, I reckon.

• My challenge, should I choose to accept it: A slight misquote from Mission Impossible, of course, but how appropriate!!
• Smile and wave:  Madagascar and those brilliant penguins.
• Let’s crack on then: Sherlock Holmes (Mr. Downey’s version)
• Luxury: Month Python
• You’re gonna need a bigger boat: Jaws, of course, and reused a number of times - a classic line.