My company prepares insurers and MGAs for data privacy regulations with a platform that masks sensitive information, so only the carrier or MGA client can see that data, not brokers and agents.
In AS Medication Solutions, the shift in data privacy regulations began with privacy being regarded as an operation management discipline and not just a checkbox during compliance. The initial one was mapping the actual data flow in the organization, rather than the flow as enshrined by the policies. End to end reviews were conducted on the intake, verification, fulfillment and follow up to ensure that the team is able to visualize where the information in the form of protection was handled, stored or sent. Training followed that map. Employees understood the reasoning behind making some changes rather than the rules in a vacuum. Among the suggestions to other people undergoing similar transitions, it is to ease access before restricting it. With compliance becomes simpler and risk is reduced instantly by reducing unwarranted data getting available. There were no confusion cases because role based permissions were clear and documented workflows were used when new rules came into effect. The preparation was effective as it emphasized on habits and systems, not on the fear of punishment. Privacy was obtained since individuals comprehended their contribution towards safeguarding it.
Question 1: We transitioned from reactive to proactive with the creation of our data architecture. Instead of treating privacy as a compliance issue, we view it as a data design challenge. Our first step was to conduct an enterprise-wide audit of the existing legacy systems to understand the full life cycle of Personal Identifiable Information (PII), including where it resides, who can access it and why. Rather than continuing to use static spreadsheets for the mapping of data, we now use automated discovery tools to map our data flows. In a distributed enterprise environment, any manual mapping is no longer relevant once it has been completed. Question 2: My third recommendation is to create data minimization as an institutional engineering principle. Historically, the insurance industry has pushed to accumulate as much data as possible for long-range modeling purposes. Every byte of unnecessary personal data is an additional liability. By only collecting the data required to support your immediate policy lifecycle(s), you substantially reduce your potential blast radius in the event of a breach and reduce the burden of data complexity when fulfilling Subject Access Request (SAR) requirements. In preparing for these types of transitions, it is typically more about the technical debt created by the way we currently manage our data than it is about the laws themselves. Not only is it a significant operational increase on your organization, but cleaning up your data architecture now will save you from incurring a much larger regulatory compliance crisis later on.
In my work with a health insurance client, I conducted a thorough examination of how they handled data as part of a large-scale audit of their data-handling practices. Personally, I emphasized that there is a constant need for employee education regarding new laws/regulations in order to maintain compliance. I think the best advice is to look at what are the implications of any regulatory changes (and not just the changes) so that you are not only compliant but flexible enough to adapt when future changes occur.