Fact Sheet
Situation / Targets
Being relatively young, an insurance company with a limited Historie so far did not have reasons to worry too much about removing old data from systems and data bases. Most contract, claims and other data objects were still active or still had to be retained in order to fulfill legal retention periods. No reason to act for a long time. Leaning back and waiting came to an end, when first generations of business documents reached the end of their retention period. In times of GDPR (i.e. EU legislation to protect person-related data) keeping this data any longer could not be justified, even though actuaries still wished to use this historical data for comprehensive risk analyses and reasonable premium calculation.
The solution to meet both legal obligations to delete and business requirements to retain data is suggested by GDPR itself: anonymizing data is equivalent to deleting it. Data that is made anonymous, is no longer considered as person-related data and, therefore, out of the legal scope for GDPR. Significant parts of the data can be kept for future analyses.
“Even though it is certainly easier to simply remove data that is not required any more, many companies hesitate to sacrifice their “data treasure” they often had invested a lot of time and money in. Not knowing for what exactly this data my prove useful one day, they want to preserve all options for future analysis. Effective anonymization is the silver bullet to resolve conflicting requirements of data protection and business analysis.”
Marcus Dill, Digital Governance Expert
Solution
- Comprehensive business and data analysis to identify person-related data (IDs and attributes)
- Classification and grouping of fields by sensitivity, analytical potential and need for action
- Rules and standards for deletion and anonymization per field group (including field-specific exceptions)
- Identification and resolution of conflicting requirements (GDPR vs. analysis needs)
- Systematic management of retention periods and individual exceptions (e.g. for legal cases)
- Definition of a general Information Lifecycle Management
- Review and approval by Legal / Compliance
- Integration of deletion and anonymization processes in operative und analytical systems