Interamerican uses SAS® for Personal Data Protection to safeguard its systems and comply with new EU General Data Protection Regulation
With the adoption of the EU General Data Protection Regulation (GDPR), organizations throughout the region must work diligently to reshape how they approach data privacy and protect residents’ personal data. Though some might view this as a formidable challenge, others see it as an opportunity to strengthen their relationships with customers by creating and extending levels of trust and loyalty.
As the largest private insurance company in Greece, Interamerican provides life, health and property insurance to more than 1 million customers. With that many policyholders, Interamerican is responsible for handling – and protecting – a vast amount of data. To comply with the new GDPR, the insurer turned to SAS for Personal Data Protection.
We recently talked with Xenophon Liapakis, CIO of Interamerican, to learn how the company is preparing for the new regulation, and how their customers remain at the heart of how the organization operates.
What are the main steps of Interamerican’s implementation approach to comply with the GDPR? Which regulation requirements are hardest to comply with?
Xenophon Liapakis: Interamerican’s first step was to be knowledgeable of the GDPR content. A deep-dive analysis of the legislation was required so we could successfully identify, adapt and comply with GDPR requirements. The next step was a detailed presentation to senior management to raise awareness of the impact and key points of the new regulation, and finally to get their approval to initiate the journey toward compliance.
We started with the creation of new project roles such as data protection officer and data traffic controller, and strengthened existing roles such as data governance, data stewards, data owners and data citizens. Following the well-defined GDPR project tasks, we also allocated a pre-budget for implementation. The next step was to evaluate our current status to assess the readiness of the organization, and identify and prioritize the actions needed.
In parallel, all employees were engaging with GDPR-related activities, starting with awareness quiz sessions, CEO messages and posters. The GDPR implementation methodology consists of specific steps that cover the areas of data governance and risk management. Building an accountability framework is a major task involving data lineage, enterprise business glossary and data flows to classify personal data. We were also adjusting our security processes and implementing new ones for data breaches and handling of data provision requests from different parties, resulting in the creation of a well-defined risk assessment as well as data breach management framework.
We arranged several meetings with the best vendors in the Greek and EU markets to assess solutions to meet our needs. Xenophon Liapakis CIO Interamerican
How do you find a balance between security and performance in achieving, analyzing and delivering the right data sets?
Liapakis: Finding a balance between security and performance, as defined in the GDPR, is a challenging task because it involves people, tools and processes in the same context. New tasks are being defined and implemented for all data processes, such as the creation of a new framework for handling data requests, strengthening authorization schemas and extending data masking and encryption mechanisms.
On the other hand, continuously building a secure data framework will introduce several challenges to confront, such as lower data transaction rates, lower data performance, infrastructure optimization, extra cost for storage, etc. Ultimately, this approach leads to an “elusive” data ecosystem.
Privacy by default and by design is already embedded in our organization, and all policies, processes and systems are designed according to those principals.
The best scenario is to have constant supervision of the security procedures applied on every data set by measuring the advantages and disadvantages per business case based on clearly defined KPIs and practices.
In the context of the GDPR requirements, we’ll be able to continue supporting the various departments of the company – providing the data sets needed for daily business and analytics processes – while ensuring all GDPR security requirements are met.
The lakes you are fishing information from – and the integration needed with internal sources – will demand new skills. How are you developing them?
Liapakis: Interamerican always invests in new tools and skills to facilitate new business requirements. When a new tool is adopted, we make sure that all necessary skills are acquired by our staff through proof of concepts (POC) in specific business cases by using pilot installations in our premises, training sessions through workshops by skilled consultants and daily interactions with global support teams and communities that our vendors provide us. The result: Highly specialized knowledge is shared among all involved parties.
To whom, in the organization, is the new data governance platform addressed? How is it going to change the day-to-day processes and the job of the company’s employees?
Liapakis: Under the new data governance model, our employees operate in a more secure and efficient way. Additionally, the new GDPR requirements gave us the opportunity to invest and boost our data ecosystem. New tools, expertise and knowledge are used not only to comply with regulations and protect our data, but also to advance our data management practices by providing extended capabilities in data analysis, data quality and data handling.
Interamerican – Facts & Figures
Greece's largest private insurer
"Of GDPR is data management"
What kind of new services and businesses do you expect to deploy once you reach the result you're looking for in the data management? What are the expected benefits for your customers?
Liapakis: Our customers have at their disposal a set of additional services such as online access to their portfolio along with the ability to update their personal data preferences. This will give us a major advantage over other insurers, allowing us to enhance customer engagement and strengthen customer relationships.
Trust is synonymous with insurance and is the cornerstone to building and keeping long customer relationships. We will promote this extended trust coming out of GDPR compliance, hoping to gain a clear advantage in the Greek insurance market. The GDPR is not just another compliance framework, but a great opportunity to enhance operational excellence.
When did this project start and why did you choose SAS?
Liapakis: GDPR compliance is our highest priority. Our initial steps were POCs and workshops with data management consultants to determine the organization’s needs according to GDPR requirements. We arranged several meetings with the best vendors in the Greek and EU markets to assess solutions to meet our needs.
SAS delivered on its promise with the highest quality and inked itself as our strategic partner in supporting this significant data management implementation. We chose SAS due to its vast tool set and high-quality services along with its demonstration of great willingness and remarkable reflections.
Les résultats présentés dans cet article sont spécifiques à des situations, problématiques métiers et données particulières, et aux environnements informatiques décrits. L'expérience de chaque client SAS est unique et dépend de variables commerciales et techniques propres, de ce fait les déclarations ci-dessus doivent être considérées dans un contexte. Les gains, résultats et performances peuvent varier selon les configurations et conditions de chaque client. SAS ne garantit ni ne déclare que chaque client obtiendra des résultats similaires. Les seules garanties relatives aux produits et services de SAS sont celles qui sont expressément stipulées dans les garanties contractuelles figurant dans l’accord écrit conclu avec SAS pour ces produits et services. Aucune information contenue dans le présent document ne peut être interprétée comme constituant une garantie supplémentaire. Les clients ont partagé leurs succès avec SAS dans le cadre d’un accord contractuel ou à la suite de la mise en œuvre réussie du progiciel SAS. Les noms de marques et de produits sont des marques déposées de leurs sociétés respectives.