The Insurance Industry and GDPR: The Insurer’s Guide to Compliance

By: Per Gogstad, 17. July 2021

Data protection laws have always been important. When the GDPR comes into effect, it becomes critical. Many are prepared for the regulatory changes, many are lagging behind. Either way, no one eludes them. Here’s what your insurance company should do to prepare for the new EU regulation.

The General Data Protection Regulation (GDPR) comes into effect on May 25, 2018. Standing as a milestone within data protection legislation, GDPR intends to strengthen and unify data protection for all individuals living within the EU and bring data protection into line with the data-driven era we’re entering.

For many, however, the GDPR is looked upon with concern. Unfortunately, the discourse surrounding GDPR has focused on the negatives of the legislation, failing to identify and highlight the manifold positives that follows in GDPR’s wake. So, let’s flip the coin and shift our focus to the value GDPR may generate for the insurance industry and what steps you can take to become compliant.


In short, there are two key drivers behind the development of the GDPR. On the one hand, the radical digitalisation of our everyday life has led to an increasing need to give people more control over how their data is collected and stored as our digital footprints increase in number and our electronic trail becomes ever longer.

At first glance, stricter regulations may seem constrictive on the insurance industry. After all, a widespread access to various data has enabled insurers to improve their understanding of their customers and improve their risk modelling and management. However, new regulatory demands regarding the processing and management of data might be a good thing for insurers.

According to a global survey from accountancy Ernst & Young, insurance companies generally rank low in trustworthiness. This makes the GDPR a welcome opportunity to build a healthier relationship and engender customer trust through greater transparency. For instance, cecoming compliant with GDPR can help insurance companies display the customer advantages of sharing data from IoT-devices with their insurers in return for added-value services.

On the other hand, the GDPR is meant to give businesses a simple, clear-cut legal environment in which to operate by standardising data protection laws within the EU. This too is a good thing, especially if we accept EU’s estimates that standardised data protection laws will save businesses a collective €2.3 billion a year.


Rather than being based on strict rules, the GDPR is based on principles. The Norwegian Data Protection Authority has summarised these guiding principles in seven points:

  • Lawfulness, fairness and transparency: Data should only be processed when there is a lawful basis for its processing.

  • Purpose limitation: Personal information should only be processed for specific, explicitly expressed and legitimate purposes.

  • Data minimisation: The amount of personal data collected should be kept to the necessary minimum to realise the purpose of which the data was originally collected for.

  • Accuracy: Processed data should be accurate and kept up-to-date.

  • Storage limitation: Any personal information should be stored in a way that enables erasing or anonymization when the data is no longer necessary for the purposes in which it was originally processed for.

  • Integrity and confidentiality: Any personal information should be maintained in a way that ensures integrity and confidentiality.

  • Accountability: The one who controls the data, is the one who’s responsible for the data. In effect, this means the data controller should show they are accountable and act proactively and in accordance to the legislation.

The consequences of not being compliant are severe. Insurers who don’t follow the guidelines risk fines up to four percent of their gross income – limited to 20 million Euro.


Several insurance companies are taking the necessary steps to become compliant. In a recent survey done by PwC, which summarises responses from several C-suite executives from larger American multinationals on GDPR-preparedness, over half of US multinationals say GDPR is their top data-protection priority. And becoming compliant is a costly affair: 77 percent plan to spend $1 million or more on GDPR.

As the GDPR is based on principles rather than rules, the process of becoming compliant are somewhat uncertain. However, if you follow these advises you should be well-prepared for the new legislation:

  • Analyse, assess and document: Gain an overview of what personal information your company process, store and manage today. This includes recording where all data comes from, what is done with it, what purpose it was processed for and who has access to it. Then, analyse and assess any risks regarding data privacy, and document every step you take to become compliant with the regulation.

  • Structure your data: Ensure that all your customer data is stored in one singular insurance system, not in various documents or business systems.

  • Gain customer consent: One of the most important terms of the GDPR is to get the permission of any individual to process their data. In order to use customer data, insurers must ensure that customer consent exists.

  • Establish guidelines for data processing: Document and justify the processing of any customer-related data, and establish organisation-wide guidelines for data minimisation.

  • Acknowledge the right to be forgotten: Ensure that customers have the possibility to erase all personal information from your systems. Your software supplier should be able to assist you with this. Several IT suppliers provide the possibility for anonymization, which allows you to erase any critical, identifying information while at the same time keep historical data for statistical purposes.

Compliance isn’t a choice, it’s an obligation. But this obligation may prove positive for the insurance industry in general and for the individual insurance companies specifically. Forward-thinking insurers should embrace the positive opportunities that lie inherent in the GDPR, act fast and prepare to become compliant with the GDPR now.