Data is the new oil!

‘Data is the new oil’, so the simple universal buzzword goes. The metaphor deceptively underlines the wildcatting nature of oil exploration, plus the extractive exploitation of a trapped asset and the attendant excitement that accompany the boom. Inevitably, terms from the oil industry have slithered into the data protection realm such as data-hoarding, data-dividend and many other eponymous terms.

The metaphor also insinuates that data being an asset, then ownership of the data itself, are brought to fore. According to David Loshin (President of Knowledge Integrity, Inc.), ownership implies power as well as control. “The control of information includes not just the ability to access, create, modify, package, derive benefit from, sell or remove data, but also the right to assign these access privileges to others”. He goes on to argue that “data has intrinsic value as well as having added value as a by-product of information processing. At the core, the degree of ownership (and by corollary, the degree of responsibility) is driven by the value that each interested party derives from the use of that information”.

With the consignment of data as a resource, asset or inordinate item of value, it follows that owners and custodians of data would be predisposed to protecting the data. Data protection is the process of safeguarding important information from corruption, compromise or loss. The importance of data protection increases as the amount of data created and stored continues to grow at unprecedented rates. 

PRINCIPLES AND PURPOSE OF DATA PROTECTION

The key principles of data protection are to safeguard and make available data under all circumstances. The term data protection is used to describe both the operational backup of data and business continuity/disaster recovery (BC/DR). Overall, data protection is geared towards the following objectives; data should be:

• fairly and lawfully processed for (a) specified purpose(s);
• processed in line with the rights of the individual; 
• accurate and, where necessary, kept up to date;
• adequate, relevant and not excessive;
• not kept for longer than necessary; and
• kept secure.

There are several incursions of legal suits and newsworthy headlines globally that relate to cybercrime and breach of data confidentiality (e.g. Cambridge Analytica, British Airways, fitness app Polar). It is evident that legal suits are on the rise globally especially with the entrenchment of digital tools in everyday business. 

WHAT STEPS SHOULD BUSINESSES PUT IN PLACE?

• Put in place a data protection policy, including formulation and review 
• Undertake an audit on level of data ownership and custody
• Establish documented procedures and processes on handling personal data to adequately safeguard the company’s legal position in the event of a complaint and/or suit
• Foment staff awareness and training on data protection
• Carry out due diligence and enforce Service Level Agreements with contractors, suppliers and other third parties aimed at protection of information assets
• Re-evaluate the company’s risk parameters & needs and accordingly implement insurance policies as a measure of risk management

RISKS AND OPPORTUNITIES FOR AN INSURANCE COMPANY

Nature of personal data and processing: Insurers manage risk. To keep that risk in check, they conduct due diligence on their customers. Regardless of the type of insurance, an underwriter will invariably collect and review personal data of the applicants, ranging from demographics to more sensitive data including health history, genetic history and physiological traits. 

Cyber risk policies: Demand for “cyber risk” and “data breach” policies which are able to mitigate the financial damage and support the company, is growing exponentially with premiums for Cyber risk being upwards of $7.5 billion globally.

Digitalization: With the changing digital landscape, more IT tools are being used to improve human life. Many health insurance companies try to win customers over by offering them special benefits such as bonus booklets which provide policyholders with preventive measures to improve their health. The relevant data of this booklet is reported to the insurance company, regardless of data protection. Furthermore, the provision of fitness and tracking apps is another cause for concern as their users generally give their consent voluntarily to use their data. 

Business Efficacy: Once companies come to grips with the datacentric approach that data protection policies put forth and establish a stronghold for personal data, they can make efficient business decisions. Improved operational efficacy, greater credibility with customers and employees, a reduced threat landscape and enhanced brand value are natural positives that follow.

Third party vendors: It is commonplace within the insurance industry to have relationships with numerous third parties. Insurers will need to look at arrangements they have with third parties to determine if this is controller-to-controller or controller-to-processor relationship when it comes to processing data. 

Companies of any size and segment are to comply with Data Protection laws of the country in which they operate. Not being compliant can be very expensive, but not just that, the reputation of the company is at stake, along with consumer confidence, which cannot be ignored by an industry which is trust-based such as the insurance industry. The introduction of Data Protection represents an exceptional opportunity for insurance companies and other financial institutions to turn their business into digital fortresses that consumers already perceive as such.

Boaz Bureti ǀ Assistant Manager Economics and Research ǀ Minet Kenya