The following article is an opinion piece from Andrew Bridges, Data Quality and Governance Manager at REaD Group, the UK’s largest independent data communications group.
Today marks exactly one year until the implementation of the General Data Protection Regulation (GDPR). For those who may not be aware of what this regulation is, the GDPR is the long-overdue replacement to its woefully outdated predecessor, the Data Protection Act, which came into force in the late 1990s before the dawn of the digital age.
The GDPR will change the way in which businesses handle customer data, creating new rules around customer consent, profiling, data portability and the customer’s right to be forgotten. Any company handling European citizen data will have to comply with this incoming regulation by May 25, 2018, and businesses in the insurance sector are by no means an exception. If anything, the GDPR is of more relevance to insurers as brokers and underwriters require customer data to create and implement effective policies. With only 12 months to go until the regulation, it is vital that the insurance sector can continue operating efficiently while transitioning from old to new data protection laws.
What is GDPR?
The digital age has revolutionised the insurance sector completely, heralding new ways to gather customer data and implement insurance policies. Access to increasing amounts of data has enabled insurers to better understand the customer and to conduct superior risk modelling, in order to provide more accurate price policies. As a result, customers benefit from more tailored insurance packages.
However, with ever increasing volumes of data comes questions about how to best collect and store information. A number of scandals in the insurance sector have prompted concern from customers about the exploitation of their personal data. For instance, news that Admiral had planned to use Facebook data to set car insurance price packages came under fire last November, raising awareness of the ways in which data is being used without consumers’ full knowledge. The GDPR is being introduced to meet the rising demands of the consumer, providing greater levels of data regulation and compliance to ensure data is used and held responsibly and in a transparent manner, with the full understanding of the customer.
Insurers will inevitably greet the GDPR with some trepidation, as it will change the way in which companies can access and use customer data, altering the foundations on which the insurance industry is structured. If insurers follow preparatory advice carefully, they can remain one step ahead of GDPR, remaining compliant and safeguarding the important relationship with their customers. A legislative change on this scale may be challenging to absorb and implement, but insurers have no other option to retain their professional credibility.
What can insurers do to prepare for GDPR?
Insurers will need all the time they can get to prepare and this should start today, by conducting a thorough audit of their data estates and what customer data they actually hold. After all, while GDPR is 365 days away, it is only 188 business days away. Insurers must therefore adhere to a strict timeline in the lead up to GDPR, taking into account the following terms of the regulation:
Consent
One of the most significant terms of GDPR is consent to use customer data. In other words, it refers to the permission given by an individual to allow the processing of their data. There has been a noticeable shift in recent years towards customer centricity, with insurers having to work harder than ever to attract and retain customers. Insurers will have to make sure that consent exists to use and profile a customer’s data. Insurers should also state how they intend to use the data; transparency is the key here to build the trust required in the data exchange relationship.
It is a chance for insurers to explain how this can benefit the customer, such as by providing more personalised policies. Insurers strive to paint a clear picture of a customer insurance package; therefore the same attitude should be applied to customer data protection.
Data portability
This term acknowledges the fact that customers have ownership and control of their own personal data, allowing them to reuse their data for their own purposes. Insurers should therefore accept that access to this customer data is only temporary, and will end the moment customers decide to change their choice of insurer.
If the customer chooses to switch insurance provider, the previous insurer will be legally obligated under the terms of GDPR to pass his or her data; before then erasing it from their records.
Right to be forgotten
Also known as the ‘right to erasure’, the right to be forgotten is one of the most daunting aspects of the upcoming GDPR from the viewpoint of insurers. Under the proposed regulation, organisations need to make sure every reasonable step has been taken to ensure that inaccurate personal data is rectified or deleted. Personal data should also be processed in a manner that ensures appropriate security and confidentiality of the personal data, including preventing unauthorised access to or use of personal data.
Should insurers be worried about GDPR?
There has been a great deal of scaremongering in the press around GDPR, fuelled in large by the fact that there still is a great deal of uncertainty around exactly how the regulation will be implemented. Insurers should not be scared of GDPR, but should remain vigilant and should keep an eye out for further updates from the Information Commissioner’s Office (ICO). It would be advisable to have internal resources tracking future updates as time will be of the essence to deploy the changes required to internal processes and systems. Failure to comply with new data protection laws could result in a hefty fine for non-compliance, consisting of 4% of company turnover, not to mention the irreversible reputational damage. In an industry that has experienced its fair share of reputation scandals in the past decade, why risk it?
Positive impact of GDPR
Companies have become too focused on the negatives of GDPR and quite often forget to consider the multiple positives that will result in the implementation of this regulation. In terms of building a healthier customer relationship, GDPR is very welcome news. It will result in greater levels of transparency, which in turn will engender customer trust. It will allow insurers to clearly present to the customer the advantages of sharing data.
Take car insurance providers for example; if the driver is willing to share data gathered from their car journeys, insurers will in turn be able to provide a more tailored policy, offering better value for money that is not based on a generic customer profile. Drivers who can prove that they are safe on the road and therefore a lower risk investment to insure will benefit. GDPR is an opportunity to inject a much needed dose of customer trust back into the sector and for customers to realise that insurers have their clients’ best interests at heart.
For those of you worrying about the additional costs of re-evaluating customer data sets, building information strategy, contacting customers for permission to use data, and erasing all non-compliant data, it is essential to recognise that compliance is not a choice, it is a legal obligation. Internal data that has no relevance and not permissioned to be used is a liability so why keep it? Given that the insurance sector prides itself on its ability to accurately measure risk, it should lead by example by strictly adhering to GDPR. In turn, insurers will be rewarded with soaring levels of customer satisfaction, engagement and trust.
The preceding article was an opinion piece from Andrew Bridges, Data Quality and Governance Manager at REaD Group, the UK’s largest independent data communications group. The views expressed within the article do not necessarily reflect those of Insurance Business.
Related stories:
Senior UK insurance regulator to quit
China could let up on regulatory crackdown to avoid risk