For the insurance industry, the General Data Protection Regulation (GDPR) looks set to have a significant long-term impact, affecting areas such as automated decision making, data retention, portability and erasure (to name just a few).
So how should insurers handle the new law? The initial GDPR readiness project is now behind you, leading to the next challenge: adapting your existing processes – and perhaps even your entire business model – to accommodate the new data law framework.
Here’s our take on how to absorb the changes as painlessly as possible, to spot the opportunities offered by the GDPR, and to stay on the right side of the regulator.
GDPR and insurance: the big picture
Spurred on by the publicity surrounding the new law, consumers are becoming more data savvy; they want to know who controls it, what it’s used for and why. Shortly after the arrival of the GDPR, data regulators across Europe reported a sharp rise in the number of public complaints. If this is a taste of things to come, it seems that from now on in, customers may be significantly more likely to take formal action if they feel their data is being misused.
Meanwhile, through a combination of comparison sites and direct online market access, it has never been easier for your customers to switch providers. Insurers who run into problems with the regulator – or who are seen as being non-responsive and untrustworthy when it comes to data are indirectly giving customers a good reason to look elsewhere for coverage.
By contrast, total transparency, user-friendly ways for customers to exercise their data rights and an ‘all-clear’ record with the data regulator can all help to bring new customers on board – and to convince existing policyholders that you are worth sticking with at renewal time.
Overall, this is perhaps the biggest change that the GDPR will bring about in the long term. Rather than viewing data law compliance as a backroom issue, it’s actually a valuable way of building up customer trust – and of strengthening your credentials as a safe pair of hands.
The rules in focus: what all insurers should be aware of
While certain existing rights and obligations have been strengthened, the GDPR also ushers in some new concepts for insurers to get to grips with. Key changes include the following:
‘New and improved’ data rights for individuals
To illustrate how these rules will have an impact day to day, we’ll use the example of a customer considering her renewal options. It’s a niche policy, and to aid in her research, she asks you for copies of the personal data you hold on her. The GDPR now requires that you supply this free of charge (the right to access).
She has sourced a new provider and requests transfer of her policy profile to a new provider (the right to data portability). Later on, she requests that you delete her records (the right to be forgotten).
The need for clear, justifiable retention rules
Storage limitation is one of the key GDPR privacy principles; the requirement to store personal data for no longer than is required. It’s not acceptable to apply retention policies to all personal data in all circumstances without any real analysis.
When rolling out new policy lines, platforms and organisational changes involving new personal data processing activities, you will need to be able to justify your retention period in each instance (e.g. with reference to specific ABI and tax requirements). New GDPR data governance obligations (in particular, mandatory privacy impact assessments) mean that you will have to demonstrate your reasoning here. You will also need to set these policies out in an easily-understood manner for customers via your privacy policies.
Profiling: handle with care
Artificial intelligence is a hot topic for incumbents and insuretechs alike. Automation has long played an important part in, for instance, enabling insurers to put together policy offers. The GDPR doesn’t put an end to this – but it does affect ‘profiling’ and ‘automatic decision making’. Profiling is taking information about individuals and using it to put those individuals into categories, often for the purpose of making predictions about their likely behaviour. Profiling is a form of processing of personal data and, as such, is allowed, as well as all the GDPR rules which apply to processing are followed such as being completely transparent about such profiling and giving individuals the right to object to it.
Automatic decision making (which may include profiling) is the ability to make decisions by technological means with no human involvement. The GDPR prohibits this unless it is completely necessary to enter into a contract (unlikely to apply in the insurance context); authorised by law (doesn’t apply to insurers); or with the explicit consent of the individual (what insurers will have to rely on if they want to make such automated decisions without any human involvement). If such automated decisions are made, insurers will still need to offer individuals the ability to request that a human review the decision.
So let’s say you are following a strategy of increased reliance on AI and automation within your business. This is still likely to be possible – just so long as you hardwire an appropriate level of human input into your processes.
What next? Areas that demand special attention
Privacy impact assessments
For the insurance sector as a whole, the importance of these assessments is hard to overestimate. For one thing, you are likely to be routinely processing some of the most sensitive information relating to individuals; precisely the type of data the new law aims to protect. And especially if you are seeking to implement ‘next generation’ automation, you need to be able to actively demonstrate that individuals’ rights are being safeguarded. Privacy impact assessments are compulsory where automated decision making is taking place.
Establishing a lawful basis for individual processing activities
This is another area that requires a combination of constant vigilance and good record keeping. If you are relying on consent, what would the implications be for your business model if that consent were to be withdrawn? Is your reliance on ‘legitimate interest’ fully backed up? One potential pitfall here includes possible over-reliance on ‘fraud prevention’ as a catch-all legitimate interest, without considering whether this can be justified.
Enabling customers to securely access their full profile, to take copies and rectify errors: all of this can make it much easier for those individuals to exercise their data rights – and it makes sense from a customer service perspective, too.
The Privacy Compliance Hub: helping you stay on top of compliance
Whether you are refreshing your online platform or reporting an attempted data breach to the regulator, compliance should never be a tick-box exercise. Telling you what you need to do, who should do it and when, the Privacy Compliance Hub provides a complete framework for GDPR compliance. To find out more, take a look at our demo – or get in contact for a chat today.