Insurance EuropeInsurance Europe
More work needed for GDPR to achieve its aims

As today is European Data Protection Day, William Vidonja, head of conduct of business at Insurance Europe, has reflected on whether the General Data Protection Regulation (GDPR) has fully achieved it aims, since it became fully applicable in May 2018:

“Europe’s insurers strongly support the objectives of the GDPR: ie, to provide people with more control over their personal data, to put an end to a patchwork of different data privacy laws across the EU and to update privacy rules to make them fit for Europe’s digital future. However, the GDPR has not yet completely achieved its aims in certain areas.

“Firstly, the Regulation is not always uniformly applied. For example, the legal bases for processing health data for insurance vary between member states. This creates legal uncertainty and makes it more difficult for insurers to conduct their business in multiple member states and comply with data protection rules.

“Secondly, despite significant efforts to modernise privacy rules, the GDPR and the guidelines adopted by the European Data Protection Board (EDPB) are also not entirely innovation-friendly or fit for a digital age. Certain rules seem at odds with fast evolving technology and may slow the pace of insurers’ digital innovation. For instance, the use of blockchain technology in insurance could be jeopardised due to potential incompatibilities with the GDPR.

“Looking ahead, it will be crucial to ensure that the application of the GDPR and its guidelines do not create unnecessary barriers to insurers offering products across borders or to the introduction of digital innovations that could benefit consumers. Both the European Commission and the EDPB will have a key role to play to ensure that the GDPR and its guidelines provide an adequate level of legal certainty to allow insurers to conduct their business safely and to create a future-proof and innovation friendly regulatory framework. We hope that this will also be reflected in the Commission’s report on the review of the GDPR that is due by May.”

Published 28 January 2020