Given the operational complexity ofmost insurers and the large quantities of data that insurers use inconducting their everyday business, the CCPA requirements may seemdaunting. (Credit: Joe Therasakdhi/Shutterstock)

The California Consumer Privacy Act of 2018 (CCPA), whichbecomes effective on Jan. 1, 2020, is one of the most comprehensiveand far-reaching of the new privacy rules proliferating at theinternational, national and state levels. Through CCPA and similarinitiatives, regulators want businesses, including insurers, to beable to protect the privacy and security of consumers' data.

The implementation of CCPA compliance initiatives presentsinsurers with several data and operating challenges. Withthe act going into effect in just a few months, insurers need tofocus on addressing three specific areas in particular:

1. Over-retention of data. The legacy of over-retention ofconsumer information is presenting insurers with challenges inconsistently and effectively disposing of consumers' personallyidentifiable information. Aspart of a broader review of information life cycle managementprograms, insurers should review their data retention policies toalign with CCPA requirements. A key question is whether dataretention periods align with legal requirements or are based onother business rationales. Under CCPA, insurers are able to retainsome information for legal or regulatory needs, but if they wish tokeep other data for longer periods, they must be able to demonstrate a legitimatebusiness reason for doing so.
2. Third-party data. Understanding the flow of personalinformation across supply chains and securing collaboration amongthird-party partners to dispose of consumer information is provingto be a time-intensive process. The requirementsof CCPA dictate that insurers be able to contact suppliers andother third parties with access to consumer data and direct them todispose of such information when a legitimate request is made. Thiscan be a challenging operational problem for many insurersthat have complex supply chains. They need toestablish contractual obligations with suppliers to enable insurersto respond to their legal obligations. Insurers with large networksof agents or independent brokers (which can number in thethousands) may face a major undertaking to determine what consumerinformation has been shared. This is all predicated on establishinga reliable inventory of third parties that may be difficult giventhe complexity of the agent population, but it is fundamental toany subsequent analysis to determine which information has beenshared with which third-party.
3. Data discovery. Insurers need to know where consumerdata is within their organization, including how it is stored andhow it can be obtained on demand. This requires a clearline of sight into where structured and unstructured data (fromsources such as telematics and scanned policy documents) is kept.Scanning should be automated and systematic, with an eye toestablishing a clear audit trail of locations and integrationwith other enterprise data management solutionssuch as data governance tools. Insurers also need to determinewhether to configure existing technologies, which may be morelocation-centric in their scanning capabilities, rather thanconsumer-centric (which may require further investment).

Given the operational complexity of most insurers and the largequantities of data that insurers use in conducting their everydaybusiness, the CCPA requirements may seem daunting. And, indeed,companies in all industries are pushing hard to meet the Jan. 1,2020, deadline for CCPA implementation. However, insurers taking aholistic approach to CCPA and other privacy-related regulatoryinitiatives — redesigning processes and bringing effective workflowand discovery into play — can address regulators' concerns whilehelping themselves move towards compliance with the ongoingemergence of similar regulations at the state–andnational-level.

Related:

• California's toughest-in-U.S. privacy lawmay get even stricter
• New privacy laws taking shapeworldwide
• P&C Legislative Round-Up: August2019

Ben Shorten ([email protected]) is theNorth America compliance transformation lead for Accenture'sfinance and risk practice. The views expressed here are theauthor's own.