Will location-specific data be classified as personal information under GDPR?

May 25 will mark a seismic shift in how personal data is collected, stored, processed, accessed, used, transferred and erased. It sees the application of the European Union’s General Data Protection Regulation (GDPR) across all 28 EU states, introducing some of the most stringent data management controls in place anywhere in the world.

The aim of the regulation is not to stifle the flow of data, but rather to ensure that at all stages it is handled in a compliant and secure way. However, the safeguards placed on the use of personal data will have a significant impact on an increasingly data-rich and data-dependent (re)insurance industry and could cap the potential capabilities of the new wave of high-resolution, real time analytics.

Location, location, location

Despite the fact that there are only weeks (at time of writing) to the implementation of this monumental piece of data legislation, there is still a distinct lack of clarity around a number of critical areas for the (re)insurance sector.

While uncertainty around the use of sensitive health-related information and criminal conviction data has sparked much industrywide debate, the possible capture of property-related location information under the “personal data” catchall has raised little comment. Yet the potential clearly exists and the repercussions of such a categorization could be significant if the market fails to address the issue effectively.

 

According to Corina Sutter, director of government and regulatory affairs at RMS: “The uncertainty lies in whether property-specific data, whether an address, postcode, geocoded information or other form of location identifier, can be used to identify an individual. While in most cases this information in isolation would not, [but] combined with other data it could contribute to their identification.”

Given the current uncertainty as to how such data will be classified, RMS has made the decision to apply the same data management requirements for a processor of personal data under GDPR to location-specific information until such time as a definitive classification is reached.

No easy path

It is critical, however, that the (re)insurance industry clarifies this issue, as failure to do so could have far-reaching repercussions.

“If we cannot achieve a sense of clarity around the classification of property-specific data,” says Farhana Alarakhiya, vice president of products at RMS, “our concern is that some (re)insurers may choose to aggregate property-specific data to achieve GDPR compliance. The analytical ramifications of such an approach would be huge.”

Over the last decade, advances in data capture, data processing and data analysis have outpaced developments in virtually any other business-critical area. Vastly enhanced computational power coupled with an explosion in data-rich sources are exponentially boosting the analytical competence of the (re)insurance sector. Meanwhile, the Internet of Things (IoT) and big data afford huge untapped data potential.

“Any move to aggregate property-related data will severely impair the analytical power of the sector,” believes Alarakhiya, “essentially diluting or dissolving the high-resolution data clarity we have achieved in recent years.”

She highlights the example of flood cover. “The advances that we have seen in the development of flood-related cover are directly attributable to this increase in the availability of high-resolution property data. Two properties of equal value only meters apart can have markedly different risk profiles given factors such as variations in elevation. Without that ground-level data, such variables could not be factored into the underwriting decision-making process.”

Building consensus

To head-off this analytical backslide, Alarakhiya believes the (re)insurance industry must engage in marketwide dialogue to first achieve consensus on how it should treat location-specific data. She thinks much can be learned from the approach adopted by the health care sector.

“Health care records constitute some of the most sensitive data stored by any industry,” she points out. “Yet maintaining the granularity of that data is central to the effectiveness of any patient-level care. When faced with the issue of how to store and process such data, the sector took proactive action and worked to achieve data consensus through industrywide dialogue.”

Such consensus laid the foundations for the introduction of a third-party certification system that facilitated the implementation and maintenance of consistent data management practices across the entire health care supply chain.

“This is the path that the (re)insurance sector must start moving down,” Alarakhiya believes. “We simply cannot take the perceived easy route to compliance by aggregating property data.”

Sutter concludes that industry consensus on this issue is essential. “Failure to achieve this,” she states, “has the potential to degrade the quality and granularity of the property exposure data or location data the industry currently relies upon. We must strive to reach industrywide agreement on this if we are to preserve the analytical foundations we have all worked so hard to build.”