Cloud Technology for Insurers - Part 4
Data Protection Law
In the previous articles of this series we learned about the basic concept of cloud computing, how the available cloud types differ from each other, and what the advantages are of using a cloud over traditional in-house datacenter solutions. In this and following articles we discuss the challenges of using cloud from the perspective of data protection.
It is particularly important for insurers to be aware of the challenges related to data protection and cooperation with data protection authorities. All insurers collect, store and process substantial amounts of personal and confidential customer information. They are required by law to protect the privacy of all customer data.
Scope of data protection laws
Data protection laws in European countries govern when and how personal data can be processed. The legislation typically interprets processing in a wide sense by including all operations from receiving and storing to modifying and deleting personal data.
Personal data is typically any information that describes the characteristics of a clearly identifiable person; it is therefore also known as personally identifiable information (PII). EU member states generally limit their scope to natural persons (i.e. human beings), whereas Swiss data protection law also includes legal entities. A special subset of personal information is what is known as sensitive personal data. This is information with high potential of being misused to discriminate against the affected data subjects, who thus require even greater protection under data protection laws. Personally identifiable health or medical information in the case of life and health insurers is the most important category of sensitive personal data encountered in the insurance industry.
Applicable data protection acts
Although the European Union has released the European Data Protection Directive to regulate the processing of personal information for all member states, data protection nevertheless presents itself heterogeneously throughout the EU. Currently, individual members’ own national data protection laws implement the European Data Protection Directive, but these may differ in their details. The fact that not all European nations are members of the EU and therefore bound by the European Data Protection Directive further complicates the situation. Insurance companies operating internationally are thus faced with the question of which laws ultimately apply.
It should be noted, however, that the new General Data Protection Regulation (GDPR) of the European Parliament, the Council of the European Union and the European Commission will replace the EU’s current data protection directive in May 2018. The GDPR is intended to strengthen unified data protection for all individuals within the EU by standardizing the rules applied to the processing of personal information.
Responsible data protection authorities (DPA)
Further challenges arise for insurers from the diffusion of responsibility among data protection authorities. Pursuant to a ruling of the European Court of Justice, the data protection legislation of an EU member nation applies if the company has a qualified branch office in that country. However, the DPA of a country with a qualified branch may not necessarily consider itself responsible, referring instead to the DPA in the EU member country in which the company has its headquarters.
Data protection authorities are differently organized across Europe. For example, some federally organized countries handle data protection at the federal level, while others delegate it to the state level. In the latter case, different DPAs within a country may have different interpretations with regards to details of the national data protection legislation and its application to cloud usage. The difficulty arising from this decentralized approach among EU member states is that there is no consistently applied governance and regulation standard across Europe. As mentioned above, this should improve with the GDPR taking effect next May.
Since the insurance industry is only just starting to move towards cloud technology, there is still a lack of precedence. However, some cloud providers have recently established dedicated teams to lobby regulators and increase regulators’ knowledge of cloud technology. Nevertheless, the fact remains that technology advances faster than regulation, and only close interaction between insurers, cloud providers and regulators will help to align the variances in pace.
 Data Protection Directive 95/46/EC of the European Union
 Data Regulation 2016/679 of the European Union
The next parts of our article series will see us continue discussing how insurance companies can handle the challenges they face when reorienting their IT infrastructure towards use of public cloud services. Stay tuned!