Virtual Event via Microsoft Teams
27 November 2020
GIZ RFPI commissioned a study on Data Privacy with emphasis on Customer Protection. The 64-page study focused on three (3) countries – Vietnam, Philippines, and Indonesia. The webinar was designed to give the audience a brief but concise view of the study and provide a forum for regulators to integrate the information presented and also share their insights on data privacy in relation to insurance.
The webinar was attended by regulators and insurance partners from MEFIN member countries and A2ii and was hosted by GIZ RFPI Senior Advisor Gian Galsim.
|2:45 – 3:00||Online Registration||Access to MS Teams||All|
|3:00 – 3:05||Opening Remarks||Speech||George Ongkeko
|3:05 – 3:20||Understanding Data Privacy to Advance Customer Protection in Vietnam, Indonesia, and the Philippines||Presentation||Meelendra Singh, Consultant and Study Author|
|3:20 – 3:30||Supervisory Approaches to Data Privacy||Presentation||Hui Lin
|3:30 – 3:50||Open Forum||Moderated Discussions
Questions shall be sent via MS Teams chat and shall be on a first asked basis.
Dr. Antonis Malagardis
|3:50-3:55||Webinar Polling Survey||Feedback to the Webinar||GIZ RFPI Team|
|3:55 - 4:00||Closing Remarks||Mr. Imansyah
OJK Institute and Digital Finance
In his Opening Remarks, Deputy Commissioner George Ongkeko of the Philippines’ Insurance Commission emphasized the greater need for regulators to be more proactive in ensuring that insurance providers observe measures to minimize data related risks coming from collection, storage and use of consumer data. He also stated their observations on the adequacy of the guidelines issued by regulators and the preparedness in accommodating Insurtech innovations - more so in this time of pandemic, where insurers turned to digital tools to market their products. In conclusion, Deputy Commissioner Ongkeko implored the regulators in attendance to use the findings formulated in the study to issue better guidelines and strengthen regulatory response to data privacy in general.
Moving to the main agenda, the first speaker was the study author himself Mr. Meelendra Singh, a long-serving consultant of GIZ RFPI Asia. He started off with a brief rundown of the past projects and works he did with GIZ RFPI covering such topics as Microinsurance, Insurtech, and Policies involving Microinsurance. On the webinar topic, he emphasized the focus of the webinar will be a high-level understanding of data privacy, the current trends in the three countries covered by the study and provide the attendees a forum to discuss their insights about the study and pose questions as well.
Mr Singh explained that the study is broken down in three (3) parts, Analysis, Recommendation, and a Deep Dive on Data Privacy in organizations. In the Analysis portion, Mr Singh highlighted the current data privacy practices in Vietnam, Indonesia, and the Philippines with organizational case studies of privacy breaches and the related consequences (tangible and intangible) that affected said organizations. On the regulatory side, specific mention was made on Indonesia as it recently institutionalized having a Data Privacy Officer as requirement in privacy practice – a progressive step. In the second half of the talk, the speaker narrated salient parts of the study focusing on recommendations, with emphasis on:
1. Regulators to immediately implement data privacy regulations once it is enacted.
2. For insurance products, make sure providers integrate data privacy guidelines in the design of the products.
3. Make awareness of Data Privacy a continuous activity for the organization and not just an annual compliance exercise.
4. Look at ASEAN country Data Privacy practices and learn from them.
5. Make Data Privacy regulations proportionate to the needs of the low-income communities
The second speaker, Ms Hui Lin Chiew of the Access to Insurance Initiative (A2ii) Secretariat discussed current regulatory approaches to data privacy. She started off with how regulations on data privacy in insurance is done most comprehensively via a cross cutting regulations, taking on an omnibus effect. Sectoral approaches become more specific as the respective regulator is responsible for formulating their own sets of rules. Also highlighted was the responsibility for insurers’ compliance can be under a sole data protection authority or shared with the insurance supervisor. Some insurance supervisors nevertheless require insurers to have appropriate controls, safeguards and procedures.
Ms Hui further narrated the common risk factors associated with cyber attacks and data breaches, which are Operational, Reputational, Legal and Regulatory, and Conduct.
On the Insurance Regulatory side, the speaker highlighted Insurance Core Principle (ICP) 19 Conduct of Business – a principles-based material covering data privacy which is adopted by the International Association of Insurance Supervisors (IAIS). It addresses conduct of business and fair consumer outcomes, cyber security (operational security and policyholder data), and outsourcing.
Moderator: Dr Antonis Malagardis, Program Director, GIZ RFPI Asia
There are several data protection frameworks, what can you recommend to use in the industry as a good benchmark?
Meelendra Singh: There is one framework that comes to mind and that is the NIST Framework which was created by the National Institute of Science and Technology, an unbiased organization funded by the US government. It is open source so one does not have to spend to get it and downloadable on the internet. It is jurisdiction and technology agnostic meaning it can adjust to a government or company’s requirements. It tells you what to do but allows you the implementation of it. It is a good start for a small company, like a microinsurance company - to get economies of scale for data privacy
Do you have case studies where companies were able to recover from data privacy breaches?
Meelendra Singh: Companies usually recover after data breaches, but usually with costs. Regulators come in also to provide scrutiny and implement compliance quickly. One bank in Canada who was found not compliant was able to recover but had to spend 30 Million for IT upgrades and Consulting fees.
Before concluding the webinar, attendees were given a set of questions to answer in order to gauge the understanding of the topics discussed, with majority stating they were very satisfied with the information and insights gained from the webinar.
On the topic of Insurance Core Principles (ICP), attendees were unanimous in stating that - given the complexity of the topic – more information is needed to fully understand ICP thus necessitating a separate and focused discussion.
On a regulatory and business perspective, key takeaways were shared from the Data Privacy webinar. Given the focus of the study, country context is essential in the development of Data Privacy regulations. However, more time is needed to discuss as the topic of data privacy is complex. Related to that, more case studies are requested to further aid in the understanding of the topic. On the regulatory aspect, more initiatives coming from the regulators covering data privacy was highlighted, with the need to balance use of data for a better customer experience and its protection.
In closing, Mr Imansyah, Deputy Commissioner of Indonesia’s OJK Institute and Digital Finance shared that they have drafted a Master Plan for the financial sector that will cover years 2020-2025. The document considers the issue of data protection. Their authority sees three complementary principles that will be in scope of the plan, One is the balance of regulatory framework between consumer protection and responsible finance, Second is providing accountable benefits to society, and Third, broadening the knowledge of the consumer to increase their financial capacity.
Customer protection foundations must also be maintained in Indonesia as it is a pillar of ensuring financial stability. The government is also currently drafting new regulations for data protection. They are also cognizant of the risks coming from Fintech players that are now actively entering their market vis-à-vis financial literacy level of their population. Strategic steps moving forward in managing cyber risks due to progressions made by the use of the internet and financial technologies.
Cross-border collaborations with other regulators in the ASEAN region are being pursued to come up with more regulations to protect consumer data with specific focus on data localization and access.
Data protection creates new challenges and OJK wishes all regulators and players will be better prepared to face the developments in the digital era.
Lastly, Mr Imansyah directly addressed GIZ RFPI Asia and expressed willingness to reactivate and intensify collaboration between OJK and GIZ, specifically in advancing issues in climate risk insurance.