Bolstering insurance data protection while building customer trust 

Interamerican uses SAS^® for Personal Data Protection to safeguard its systems and comply with new EU General Data Protection Regulation

With the adoption of the EU General Data Protection Regulation (GDPR), organizations throughout the region must work diligently to reshape how they approach data privacy and protect residents’ personal data. Though some might view this as a formidable challenge, others see it as an opportunity to strengthen their relationships with customers by creating and extending levels of trust and loyalty.

As the largest private insurance company in Greece, Interamerican provides life, health and property insurance to more than 1 million customers. With that many policyholders, Interamerican is responsible for handling – and protecting – a vast amount of data. To comply with the new GDPR, the insurer turned to SAS for Personal Data Protection.

We recently talked with Xenophon Liapakis, CIO of Interamerican, to learn how the company is preparing for the new regulation, and how their customers remain at the heart of how the organization operates.

What are the main steps of Interamerican’s implementation approach to comply with the GDPR? Which regulation requirements are hardest to comply with?

Xenophon Liapakis: Interamerican’s first step was to be knowledgeable of the GDPR content. A deep-dive analysis of the legislation was required so we could successfully identify, adapt and comply with GDPR requirements. The next step was a detailed presentation to senior management to raise awareness of the impact and key points of the new regulation, and finally to get their approval to initiate the journey toward compliance.                                                                                    

We started with the creation of new project roles such as data protection officer and data traffic controller, and strengthened existing roles such as data governance, data stewards, data owners and data citizens. Following the well-defined GDPR project tasks, we also allocated a pre-budget for implementation. The next step was to evaluate our current status to assess the readiness of the organization, and identify and prioritize the actions needed.

In parallel, all employees were engaging with GDPR-related activities, starting with awareness quiz sessions, CEO messages and posters. The GDPR implementation methodology consists of specific steps that cover the areas of data governance and risk management. Building an accountability framework is a major task involving data lineage, enterprise business glossary and data flows to classify personal data. We were also adjusting our security processes and implementing new ones for data breaches and handling of data provision requests from different parties, resulting in the creation of a well-defined risk assessment as well as data breach management framework. 

How do you find a balance between security and performance in achieving, analyzing and delivering the right data sets?

Liapakis: Finding a balance between security and performance, as defined in the GDPR, is a challenging task because it involves people, tools and processes in the same context. New tasks are being defined and implemented for all data processes, such as the creation of a new framework for handling data requests, strengthening authorization schemas and extending data masking and encryption mechanisms.

On the other hand, continuously building a secure data framework will introduce several challenges to confront, such as lower data transaction rates, lower data performance, infrastructure optimization, extra cost for storage, etc. Ultimately, this approach leads to an “elusive” data ecosystem.

Privacy by default and by design is already embedded in our organization, and all policies, processes and systems are designed according to those principals.

The best scenario is to have constant supervision of the security procedures applied on every data set by measuring the advantages and disadvantages per business case based on clearly defined KPIs and practices.

In the context of the GDPR requirements, we’ll be able to continue supporting the various departments of the company – providing the data sets needed for daily business and analytics processes – while ensuring all GDPR security requirements are met.

The lakes you are fishing information from – and the integration needed with internal sources – will demand new skills. How are you developing them?

Liapakis: Interamerican always invests in new tools and skills to facilitate new business requirements. When a new tool is adopted, we make sure that all necessary skills are acquired by our staff through proof of concepts (POC) in specific business cases by using pilot installations in our premises, training sessions through workshops by skilled consultants and daily interactions with global support teams and communities that our vendors provide us. The result: Highly specialized knowledge is shared among all involved parties.

To whom, in the organization, is the new data governance platform addressed? How is it going to change the day-to-day processes and the job of the company’s employees?

Liapakis: Under the new data governance model, our employees operate in a more secure and efficient way. Additionally, the new GDPR requirements gave us the opportunity to invest and boost our data ecosystem. New tools, expertise and knowledge are used not only to comply with regulations and protect our data, but also to advance our data management practices by providing extended capabilities in data analysis, data quality and data handling.

What kind of new services and businesses do you expect to deploy once you reach the result you're looking for in the data management? What are the expected benefits for your customers?

Liapakis: Our customers have at their disposal a set of additional services such as online access to their portfolio along with the ability to update their personal data preferences. This will give us a major advantage over other insurers, allowing us to enhance customer engagement and strengthen customer relationships.

Trust is synonymous with insurance and is the cornerstone to building and keeping long customer relationships. We will promote this extended trust coming out of GDPR compliance, hoping to gain a clear advantage in the Greek insurance market. The GDPR is not just another compliance framework, but a great opportunity to enhance operational excellence.

When did this project start and why did you choose SAS?

Liapakis: GDPR compliance is our highest priority. Our initial steps were POCs and workshops with data management consultants to determine the organization’s needs according to GDPR requirements. We arranged several meetings with the best vendors in the Greek and EU markets to assess solutions to meet our needs.

SAS delivered on its promise with the highest quality and inked itself as our strategic partner in supporting this significant data management implementation. We chose SAS due to its vast tool set and high-quality services along with its demonstration of great willingness and remarkable reflections.