Mr Dino Wilkinson of Norton Rose Fulbright (Middle East) considers some of the potential opportunities for extracting value from large data sets and looks at how insurers can identify and manage the legal and regulatory risks that result from the use of big data.
Big data is set to become a pervasive agent for change, helping to fuel a digital industrial revolution across all business sectors. According to the European Commission, technology and services that are driven by, or make use of, big data are expected to grow worldwide to US$16.9 billion in 2015 at a compound annual growth rate of 40%.
Big data will mean big change for businesses, particularly in the insurance sector. In Europe, insurers are monitoring driving patterns and behaviour through telematics – data recording devices fitted into cars or downloaded onto smartphones. Big data is also being used to assess risk in numerous other ways: US insurers have been offering wearable technology to policyholders as a way of monitoring how much they exercise; flood and other home risks are being assessed with sophisticated tools, digital mapping and predictive climate data; retailers offering insurance products can monitor shopping habits to help profile their customers and calculate premiums accordingly.
When adopting this new and potentially disruptive technology, just as with any new venture, both the advantages and the disadvantages need to be considered. Risks need to be identified and managed. A failure to address legal and regulatory risk in relation to big data could result in a serious regulatory breach, attracting fines, reputational damage and loss of business.
A recent survey by Accenture found that 41% of businesses reported a lack of appropriately skilled resources to implement a big data project. Such expertise will need to include a legal and regulatory compliance review.
What is big data?
Big data consists of large, complex data sets generated from sensors (for example, through networks of interconnected objects or devices other than traditional desktop computers, known as the Internet of Things), internet transactions, mobile payments, email, click streams and other digital interactions. Small and unconnected pieces of data generated from these sources, when amalgamated and subjected to powerful big data analytics, can reveal useful information about the user or a market as a whole, by identifying trends and making predictions about future behaviour and outcomes.
These data sets are so big that they are beyond the capacity of traditional software tools to capture, manage and process within acceptable timeframes. Big data analytics can identify trends, and it enables predictions to be made and risks assessed based on an analysis of existing or historic data.
The benefits and risks of big data
Big data analytics is predictive in character, allowing a business to interact with its customers as individuals on a bespoke basis (reflecting customer preferences) through tailored offers and related products, aimed at obtaining a market advantage and engendering customer loyalty. Beyond this, big data is also used by businesses to make market predictions and, in the future, will increasingly inform business strategy.
For insurers, the ability to use data analytics to inform risk assessments on policyholders is a clear advantage. According to a recent UK press report, almost a third of policies sold in Italy by Generali, the country’s largest insurer, are telematics based, and European insurers sold 4.56 million telematics policies in 2014.
Risks
While there is considerable potential, insurers must understand the risks involved in pursuing a big data strategy:
Reliability
Among the potential risks that businesses creating or using big data need to address is the question of data reliability, that is, the veracity of the underlying raw data. Raw data sourced from publicly available sources, from another business, or collated by the business itself may contain errors. These errors may be processing errors or may arise at source (for example, from mistakes in field coding and other inputs). These errors may flow through to the outputs of the data analysis processes, such as trend analysis and predictions, on which the business’s strategic and investment decisions – or the calculation of insurance premiums – may depend.
Data sets may have their origins in several different sources. Open data are typically licensed on terms similar to those applicable to open source software (in general terms, software licensed under a “general public licence” or a similar licence which permits access to source code and gives a right to redistribute). These terms usually give little or no comfort to the business that uses the data in relation to the reliability and non-infringing nature of the licensed material.
Public providers of these data sets, such as local authorities or central government, are seldom willing to accept liability for losses arising from reliance on the data, particularly when the data are provided free or for a nominal charge.
Businesses that supply these data sets to other businesses, or that provide services that depend on the data, could potentially face claims in contract, in tort (for example, for negligent misstatement) or for some other form of liability (this could include consumer claims based on statutory rights). They will need to ensure that they limit their own liability on a back-to-back basis with the supplier of the data set where possible, or insure against the risks.
Privacy
Interception, appropriation and corruption of data will remain issues for businesses possessing big data, just as with any other data. The data privacy laws in many countries require that the data controller implements appropriate technical and organisational measures to safeguard the security of personal data. Such laws typically require the data controller to pass these requirements on in their contracts with their suppliers. These requirements will apply to the data sets held by businesses that contain personal data.
Businesses will also need to take into account the new European Union (EU) data protection regulation, which will require that technical and organisational measures ought to be provided for by design (broadly speaking, an approach that is about finding ways to build privacy controls into systems from the start). This will apply to the whole lifecycle of the data, including at the time of collection and in relation to retention. Purely technical solutions, implemented in the absence of a more comprehensive approach to information governance, may not be adequate. The European legislation could impact subsidiaries of multinational companies that are operating in the Middle East and potentially also businesses that use servers or other equipment based in Europe (including cloud technologies) or who have branches established in the EU.
Information governance
Amassing vast quantities of data for big data projects can give rise to e-discovery risks in relation to this data. For example, it may only be a matter of time before litigation arises where the strategies or decisions that were derived from a business’s big data project become potentially relevant to litigation. Moreover, new e-discovery tools are emerging that will be able to handle the data analytics challenges presented by vast quantities of big data.
Businesses whose commercial models depend on creating and exploiting big data will need to develop an approach to information governance that is capable of addressing the risks presented by these unstructured data sets. Compliance with information retention requirements (including those imposed by law or regulators) will need to be reconciled with the legal and commercial necessity to delete regularly unwanted data as part of a wider risk management strategy.
Big data and legal compliance
Any business, including insurers, must consider data protection in relation to the creation and use of big data. While these laws vary from country to country, in the Middle East there are currently no specific national laws protecting personal data to the same extent as may be found in Europe or other regions. However, that position may change as legislators look to adapt existing legal frameworks to modern technologies and risks. A number of GCC countries have recently upgraded their cyber crimes legislation and several have draft data protection laws under consultation.
In many jurisdictions in the Middle East, there are constitutional rights to privacy and criminal penalties for unauthorised use or disclosure of personal information, as well as social conventions that place considerable emphasis on protecting personal reputations and respecting an individual’s privacy. These factors must be considered before embarking on strategies that may involve intrusive analysis on personal habits, behaviours and other information.
In addition to analysing the legal position under privacy and data protection laws, insurers that use big data should consider putting in place a big data policy regulating the internal use of collected data or imported data sets in conducting big data analytics. A big data policy will act as an adjunct to existing privacy policies, which may themselves require updating in light of the use of big data by a business.
Among other things, a big data policy will need to set out guidelines for the business on things such as:
• The receipt of data sets from third parties and the associated risks of infringing intellectual property rights in that data;
• The use of data sets from public sources;
• The use of webcrawler technology to collect data;
• Due diligence considerations in relying on consent in relation to personal data;
• The need to obtain suitable warranties in relation to personal data that has been sourced from third parties (for example, that it has been collected fairly and lawfully); and
• How anonymisation, functional separation or other safeguards will be implemented where necessary to use the data.
Mr Dino Wilkinson is a Partner with Norton Rose Fulbright (Middle East) LLP.