INSURANCE
What does GDPR mean for insurers?
I
t’s not often that data protection specialists make the headlines, but with the imminent arrival of the new EU General Data Protection Regulation (GDPR), the spotlight is shining brightly on the data industry. A great deal of my time is now taken up with helping our clients ensure that they can continue to do business post GDPR implementation on May 25th 2018. By way of background, for the last four years each EU member has been adding their ten-penneth to a new data protection act. The aim is to unify Europe in data protection terms and ensure that both the data of EU citizens is protected and that their choices are more respected. Inevitably, any legislative change can be difficult to absorb, but the truth is that the current Data Protection Act is out of date. It has scant regard for digital communications in terms of the rich media and information that is collected in today’s information age
and is essentially not fit for purpose. Add to this the need for organisations to be fundamentally more consumer-centric in their approach; in GDPR we have resulted in a more than passable piece of legislation that should deliver on the objectives of a more positively disposed consumer. The days of purloining data and hoodwinking consumers are over – this just won’t cut the mustard anymore. Successful organisations of the future will be those that have genuinely open and transparent relationships with the both their customers and prospects. What are the biggest issues that might affect insurers? Consent is essentially the permission given by an individual to allow the processing of their personal data, and is subject to strict conditions under the new GDPR. Firstly and perhaps most importantly,
there is no threat to renewal programmes for insurers. Following a great deal of discussion about how long consent should last, the general consensus is six months. It might have been argued that insurers would need to acquire a mid-term consent in order to undertake an annual renewal. However, it is clear that providing that an insurer is undertaking that which is ‘relevant’ to the original purpose and what the consumer would reasonably expect , then no further consent would be required. It is worth noting that it would be advisable to still seek to obtain consent from an individual at the commencement of the policy in a bid to be transparent and avoid any surprises. After all, why hide? Loyalty and relationships with the consumer need to be built on a foundation of trust. If insurers would like to contact previous customers a year after their policy has expired, they will need to renew consent to avoid accusations of storing irrelevant data for longer than is necessary. Profiling is defined by GDPR as any form of automated processing intended to evaluate certain personal aspects of an individual. As so much of underwriting is now dependent on analysis and profiling, insurers will need to be extremely careful not to overstep what is a very narrow path within GDPR. The regulation is very clearly concerned with organisations creating models which corral groups of citizens under one presumption. Under GDPR, insurers will need specific consent from citizens in order to profile them or use their data in the creation of a segment. This needs to be translated to consumers in an unambiguous way, to ensure people understand the benefits of this more
76