By Andrew Bridges, Data Quality and Governance Manager at REaD Group
It’s not often that data protection specialists make the headlines, but with the imminent arrival of the new EU General Data Protection Regulation (GDPR),the spotlight is shining brightly on the data industry. A great deal of my time is now taken up with helping our clients ensure that they can continue to do business post GDPR implementation onMay 25th 2018.
What is GDPR?
By way of background, for the last four years each EU member has been adding their ten-penneth to a new data protection act. The aim is to unify Europe in data protection terms and ensure that both the data of EU citizens is protected and that their choices are more respected.
Inevitably, any legislative change can be difficult to absorb, but the truth is that the current Data Protection Act is out of date. It has scant regard for digital communications in terms of the rich media and information that is collected in today’s information age and is essentially not fit for purpose.
Add to this the need for organisations to be fundamentally more consumer-centric in their approach;in GDPR we have resulted in a more than passable piece of legislation that should deliver on the objectives of a more positively disposed consumer. The days of purloining data and hoodwinking consumers are over – this just won’t cut the mustard anymore. Successful organisations of the future will be those that have genuinely open and transparent relationships with the both their customers and prospects.
What are the biggest issues that might affect insurers?
Consent is essentially the permission given by an individual to allow the processing of their personal data, and is subject to strict conditions under the new GDPR.
Firstly and perhaps most importantly, there is no threat to renewal programmes for insurers. Following a great deal of discussion about how long consent should last, the general consensus is six months. It might have been argued that insurers would need to acquire a mid-term consent in order to undertake an annual renewal. However, it is clear that providing that an insurer is undertaking that which is ‘relevant’ to the original purpose and what the consumer would reasonably expect , then no further consent would be required.
It is worth noting that it would be advisable to still seek to obtain consent from an individual at the commencement of the policy in a bid to be transparent and avoid any surprises. After all, why hide? Loyalty and relationships with the consumer need to be built on a foundation of trust. If insurers would like to contact previous customers a year after their policy has expired, they will need to renew consent to avoid accusations of storing irrelevant data for longer than is necessary.
Processing is defined by GDPR as any form of automated processing intended to evaluate certain personal aspects of an individual.As so much of underwriting is now dependent on analysis and profiling, insurers will need to be extremely careful not to overstep what is a very narrow path within GDPR.
The regulation is very clearly concerned with organisations creating models which corral groups of citizens under one presumption. Under GDPR, insurers will need specific consent from citizens in order to profile them or use their data in the creation of a segment. This needs to be translated to consumers in an unambiguous way, to ensure people understand the benefits of this more tailored approach to their communications.
One of the biggest challenges will involve clarifying the difference between data which can be consensually profiled and analysed, and data which cannot.In the GDPR these differences are explained as ‘profiling with legal or similarly significant effects’ and ‘other profiling without such effects’, which includes most profiling for direct marketing purposes. Anyone who blurs this subtle distinction risks facing serious consequences.
- Data portability
Data portability is a concept to protect individuals from having their data stored in “silos” or “walled gardens” that are incompatible with one another.In a world where our governments feel that consumers should be able to switch service provider at the touch of a button, the issue of data portability is heavily enshrined in the regulation. A consumer should not in any way be disadvantaged and should have immediate access to all data which is stored on them, and this be passed on without delay to competitors.Again, this will require some work for many insurers who for many years will have built systems and processes that actually deliver the opposite.
- Right to erasure
You will no doubt have read about the ‘right to be forgotten’, now called the ‘right to erasure’. This is driven by the issue of relevance. Gone are the days of just sitting on piles and piles of data waiting for that illusive rainy day. If companies are holding data which has no specific purpose then it must be deleted. This will have a significant impact on the majority of insurers, who conduct a large mount of their analysis on lapsed and historical data. In principle, citizens should be able to transact with an organisation and when they move to an alternative provider, the old organisation should have no record of that interaction on file. This therefore prevents companies storing information on customers who should not be contacted.We expect to hear more about this closer to GDPR implementation.
So what happens if you get it wrong?
Well firstly, this is an EU regulation and as such there is a ‘one-stop shop’ for enforcement. Whilst the individual member state privacy tsars will oversee compliance and police the regulation, enforcement will be carried out by Brussels. This could have something to do with the potential enormity of the fines. A serious data breach caused by anything less than best endeavors is likely to set you back 4% of global turnover.Think Sony or Yahoo – ouch!
The foregoing warnings aside, it is difficult to criticise this new regulation. It undoubtedly recognises the need to interact with customers on a more individualistic basis and aims to provide more clarity to consumers around what is going to happen to the data they share. It also sets out to engender more trust between individuals and organisations.
The world is a different place today and if we want loyalty, commitment and support from our customers then we had better make absolutely sure that they trust us, and of course trust starts with doing precisely what you said you would do. Trust is experiential;it is pointless to make bold claims of ‘I want you to trust me’ (more often than not this delivers the opposite reaction). Trust is earned and indeed takes time to acquire.
Implementing GDPR will be difficult and regrettably there is no quick fix. Many of the practices that have been the fulcrum of marketing will have to go, or at the very least change. Insurers will have a lot less data to play with, and consequently should be working on consent today. Every piece of communication to a consumer should provide insurers with the opportunity to become GDPR compliant, now. The work that I am doing with many companies is all about continuing to market ourselves whilst being compliant with this new regulation. It is possible, but takes time. The time between now and May 25th 2018 will go by in a flash, so organisations cannot start soon enough.
Pain? Certainly. Radical overhaul of your data and marketing strategy? Absolutely. But, this will result in a consumer that is more trusting, more engaged and more positively disposed. I’m not sure there is any price too large for that.
“Original publication in Finance Digest Issue 1 https://www.financedigest.com/