Risk, trust, and compliance
As the global landscape of data privacy continues to evolve, insurers must stay ahead of shifting regulations to protect both their clients and their businesses. In an era of heightened awareness around data security, the insurance sector faces significant challenges in compliance, risk management, and customer trust.
FAnews spoke to Rosalind Lake, Head of Cyber Security, Data Privacy, and AI at Deneys, for insights on how evolving privacy laws will impact the insurance industry in 2026 and beyond.
Growing complexity of global data privacy regulations
One of the most pressing concerns for insurers is the increasing complexity of data privacy regulations and cybersecurity regulations, with differences applicable in each country of operation. According to Lake, in some regions like Europe, there is a shift toward harmonising data privacy laws to simplify compliance, but in a diverse continent like Africa there are conflicts in law and enforcement that create compliance complexity for insurers or their insureds operating in multiple countries “Globally, there is a move towards harmonising data privacy laws to simplify compliance,” Lake explains. “However, in Africa, the critical development is the proliferation of new data privacy regimes and increasingly active regulators. Enforcement is on the rise.”
Insurers typically carry a heavier compliance burden: complying with general data privacy legislation and sector-specific regulations. In South Africa, for example, the Prudential Authority and the Financial Sector Conduct Authority (FSCA) have issued binding standards for cyber resilience within the insurance sector. “Insurers now face a dual compliance burden: general data privacy legislation alongside sector-specific cybersecurity requirements,” says Lake.
Cross-border data flows also present a compliance burden: “Cross-border data flows present specific compliance challenges. Countries like Nigeria require regulatory permission before personal information leaves the jurisdiction, while others prohibit transfers altogether. If a breach or regulatory investigation occurs where cross-border data is impacted, the organisation's exposure is considerable.”
The evolving role of data management
Data management strategies are key to managing insurer, regulatory, and cyber risk.
“These evolving requirements demand that insurers exercise rigorous discipline in data management. Proper data retention practices, clear classification of data assets, and robust systems for identifying what personal information the business holds are now essential - not optional.”
Insurers are more significantly exposed, and this is why there are strict sector laws on cyber and data privacy. “Given the volume and sensitivity of information insurers handle, from health data to financial records, this is both a compliance imperative and a matter of sound risk management,” Lake asserts.
Challenges in achieving compliance
Achieving full compliance with evolving data privacy standards is not a one-time task but a continuous process that requires commitment at every level of the organisation. Lake identifies three major challenges insurers face in ensuring ongoing compliance: implementation, monitoring, and board-level engagement.
“Data privacy and cybersecurity compliance is a continuous process, not a one-time project,” says Lake. “In my experience, organisations, including insurers, face three persistent challenges.” First, she notes that many businesses develop sound policies but struggle to implement them consistently across operations. “Implementation” refers to the difficulty businesses often have in embedding policies across their systems and practices. The second challenge, “ongoing monitoring,” is about continually assessing risks and updating security measures to respond to new threats. Lastly, Lake points out that “board-level engagement” is often lacking, which can lead to significant compliance gaps. “Too often, cyber and privacy risk does not receive the strategic attention it warrants. When decision-makers do not fully grasp the technical requirements, compliance gaps inevitably follow.”
To address these challenges, Lake stresses the importance of prioritising compliance on an ongoing basis. “The key to preparation is treating compliance as an ongoing governance priority, with clear accountability and regular review cycles built into the business.”
Privacy and innovation: striking the right balance
As data privacy laws become stricter, insurers must balance leveraging data for innovation with maintaining compliance. Lake believes that privacy by design, embedding privacy into processes from the outset, can help insurers innovate while staying within the bounds of the law. “The key is to embed privacy into your processes from the outset, which is often termed ‘privacy by design’,” she says. “If your platforms and products are built around lawful processing principles, leveraging data for commercial purposes becomes straightforward.”
However, Lake also advises caution when handling sensitive data. “Organisations often collect more personal information than is strictly necessary,” she explains, adding that there is always a trade-off. “The more valuable the data you hold, the greater your attractiveness as a target for cyber attackers.”
Third-party risk is another consideration, as many data-driven products rely on external providers. “South African insurers have explicit obligations under the Joint Standards to manage outsourcing arrangements with cyber and privacy risks in mind,” she warns. “We recommend that insurers adopt robust, ongoing monitoring processes for their supply chains, and consider software solutions that provide continuous visibility over third-party risk.”
Navigating legal and financial risks
Failure to comply with updated privacy regulations can have serious financial and reputational consequences for insurers. While financial penalties under some laws, like South Africa's Protection of Personal Information Act (POPIA), have been relatively modest, Lake highlights the more substantial penalties that could result from non-compliance with the Joint Standards. “Under POPIA, the immediate financial penalty risk is relatively low,” she notes. “However, the position under the Joint Standards is different. The FSCA has extensive enforcement powers, including the ability to impose substantial financial penalties or, in the most serious cases, suspend an insurer's licence.”
Lake emphasises that insurers should focus on ensuring compliance and have clear protocols in place for handling incidents. “The practical priority is ensuring your organisation can demonstrate compliance and has clear protocols for regulatory notification when incidents occur,” she says. “Insurers face additional reporting obligations beyond standard data breach requirements.”
Reputation damage, however, is perhaps the most significant risk. “Reputation is paramount in insurance. Data usage fundamentally depends on trust, and a breach of that trust, whether through a cyber incident or mishandling of personal information, can cause lasting damage that no balance sheet can fully capture,” Lake adds.
Transparency and trust in data usage
Transparency is becoming a critical element for insurers as they navigate customer concerns about how their personal information is used. Lake stresses that transparency is not just a legal requirement but a crucial way to build and maintain customer trust. “There is widespread public distrust of how organisations, including insurers, handle personal information,” she observes. “Transparency is, therefore, not merely a legal requirement; it is essential for building and maintaining customer trust.”
Customers are increasingly aware of their rights and expect insurers to be upfront about how their data is being used. “People understand that cyber incidents and data breaches happen. What causes lasting reputational damage is not the breach itself, but how organisations respond,” Lake points out. “The lesson is clear: be explicit and honest about how you will use personal information, and ensure your actual practices match your stated commitments.”
Emerging technologies and the future of compliance
Technologies like AI and blockchain present both opportunities and risks for insurers striving to maintain compliance with evolving data privacy regulations. Lake explains that while these technologies can help enhance monitoring and data classification, they also introduce new privacy risks. “AI and blockchain are double-edged swords for data privacy,” she says. “While these technologies can support compliance through enhanced monitoring, automated data classification, and more efficient responses to data subject access requests, they also introduce new risks.”
Insurers deploying AI must ensure they have robust governance frameworks in place to assess the risks. “Any organisation deploying AI must have a documented governance framework in place,” Lake insists. “This should include a personal information impact assessment that rigorously evaluates whether the benefits of the AI application genuinely outweigh the privacy risks.”
As data privacy concerns continue to shape the insurance sector, insurers must embrace these evolving regulations, build stronger compliance frameworks, and foster trust with their customers to remain competitive and secure in the years to come.
Writer’s thoughts
As the regulatory landscape around data privacy continues to shift, insurers must remain agile in adapting to new compliance challenges. By staying proactive and maintaining transparency, the industry can ensure both regulatory alignment and continued trust from their clients. Please comment below, interact with us on X at @fanews_online or email me your thoughts.
