With General Data Protection Regulation (GDPR) in effect since May, regulators have clamped down on how organisations use and store customer data, writes Bundeep Singh Rangar, PremFina chief executive.

GDPR places legal obligations and pressures on organisations to maintain records of personal data and the manner in which such data is accessed and processed. This framework places more legal liability on organisations should any private customer data be breached. How then, can organisations ensure they don’t fall foul of GDPR? 


Blockchain holds the key – literally.

While many participants in the insurance industry are either reluctant to embrace the technology or are taking a “wait and see” approach, some have begun to accept it as a good and valuable development and an inevitable way of the future.

At BIBA’s flagship conference in Manchester in May, I held a fringe session called “The Disruptive Potential of Insurance on the Blockchain,” during which the question was posed as to how the implementation of GDPR will affect the adoption of blockchain technology. Citing the example of an insurance broker, the security and safety of a policyholder’s stored information was raised.

Blockchain technology, above all else, exemplifies transparency, immutability, and security. Human error aside, it holds the promise of minimising, if not removing, the likelihood of a data breach.

For starters, it’s important to explain how data is shared on the blockchain. In order to access and transmit any information or customer data, a person needs to have two keys, a public key and a private key. These keys are comprised of unique alphanumeric strings used to safely secure, store and transfer data.

Both an organisation and a customer would have a set of keys. The keys are used in tandem with one another but serve different purposes. The public key is like an electronic address that’s open and visible to all to allow for the sharing of information and data. The private key is unique to the individual and the organisation. A private key is never shared and is only to be used by the keyholder.

When it comes to sharing data, a user’s public key and private key encrypt the information being passed along while the recipient’s private key and sender’s public key decrypt it. The sender can encrypt files that they can be sure will only be decrypted by the intended party.

For example, in the case of an insurance broker and policyholder, the policyholder would have two keys: a public key and a private key. The broker would have access to the policyholder’s public key in order to be able to send them information. In order for the policyholder to be able to access or open that information the broker has sent across, however, they will need their private key. The same logic applies for information sent vice versa by the policyholder to the broker.

How secure are they keys themselves? It’s impossible to work out what someone’s private key is based on a public key. Therefore, a user can send their public key to anyone without worrying if someone can access their private key. Their information will remain safely stored. The organisation or broker is left not having to worry about a data breach or falling foul of GDPR and regulators.

Any unauthorised persons trying to access personal information would fail to do so as they would need to have permission from both keyholders to do so. Further, individuals owning their private key can select which third parties are given access to the personal information. That essentially makes it very compliant with GDPR.

In addition, with public-key cryptography, a digital signature is also produced that authenticates and validates the data shown. This is done through the combination of a user’s’ private key along with the data they wish to sign via a mathematical algorithm. Since the actual data itself is part of the digital signature, the network will not recognize it as valid if any part of it is altered or corrupted. Even the slightest modification of the data remodels the entire signature, rendering it as false.

Any potential attempts to breach a customer’s stored data would, therefore, also be picked up on the blockchain and visible to the broker and policyholder.

Blockchain holds the key to making GDPR compliance simple and easy for both brokers and insurers - make sure you hold on to yours.