In a normal year, springtime has insurers (property and casualty in particular) preparing for the hurricanes, wildfires, flooding and other environmental catastrophes that typically accompany April showers. But this year, spring introduces an entirely different challenge, one that has nothing to do with physical environments and everything to do with data: How should insurers collect, use and protect it? The Global Data Protection Regulation (GDPR) will go into effect on May 25, 2018. GDPR is a set of rules designed to provide clarity, transparency and protection for the personal information of all European Union (EU) residents. It applies to any company worldwide that stores personal information of EU residents, prohibits unauthorized access to that data, and ensures consumers understand and control their personal information is treated. Related: Insurers with EU clients face workflow challenges under GDPR Failure to comply can result in stiff penalties. |

Business and technology

The sections of GDRP that focus on how companies' IT and data security practices operate are robust. The timeframes allowed for reporting security breaches are almost immediate. Systems must be designed to ensure that personal information management is high quality, accurate, consistent across databases, secure, private, and includes clear data lineage. Direct accountability for oversight of all GDPR mandates must exist within the company, dictating the appointment of a qualified Data Protection Officer in some instances. Business aspects of GDPR reach across the company and aim to provide customers with much more control over their personal data. Obtaining clear and unambiguous consent from customers for communications and solicitations is required. Companies also must let consumers see, receive and correct (if necessary) all personal information stored in company databases. Customers must have the power to "be forgotten," meaning they can ask for their personal information to be removed from company databases. Related: Is cyber insurance prepared for GDPR? Personal data cannot be retained past a "reasonable use" timeframe. And customers have the right to understand and agree to how their personal data is being collected and used. |

The insurer's challenge

The IT and data security requirements of GDPR could place significant burden on insurers, particularly those with antiquated legacy applications, siloed business units and databases, and less than mature data management and governance practices. However, impacts on business units are arguably even more significant. Insurance is a data-intensive and analytical business. Insurers collect and maintain significant amounts of personal data, using it for everything from detecting risk and pricing policies to identifying fraud and facilitating claims processes. Related: GDPR noncompliance poses a real insurance risk The following business units could see substantial impacts as GDPR enforcement gets underway: |

Marketing

Marketers face growing pressures to improve customer experience, personalize messaging and react to customers in real time. Data and analytics are critical tools marketers use to accomplish this, but GDPR may get in the way. GDPR mandates that companies obtain "freely given, specific, informed, unambiguous consent" for solicitations and communications. This means marketing can no longer rely on soft opt-in processes, lack of opt-out, or a simple blanket opt-in checkbox for communication and analysis activities. At best, communications, campaigns, and web and mobile applications must request and store consent on an individualized, action-oriented basis. These consent forms must be captured, stored and auditable, so companies can prove when consent was given and for what. At worst, companies may need to review all customer databases to understand whether obtained consents meet GDPR requirements. |

Pricing and underwriting

Rich data, including IoT data from telematics devices, enables pricing and underwriting functions to identify granular risk pools and price policies on a highly customized basis. Credit history, health information and location data play an increasing role in underwriting decisions. Collecting this type of personal data raises some thorny GDPR questions. Have individuals consented to the collection of this data? Do they know when it is being collected? Do they understand how it is being used? Can the company explain how decisions pertaining to price or coverage have been made? Further complicating things, many of these decisions are automated — i.e., AI or machine learning algorithms (where decision parameters are less transparent) facilitate decision-making based on personal data. This analytical activity will most likely fall under profiling, defined under GDPR as, "Any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements." This expands the customer rights insurers will have to satisfy. Underwriters (or issuing agents) will have to prove this type of analysis meets certain criteria. Is the resulting decision in the customer's best interest? Can the customer get a clear explanation of these decisions? Is the company taking measures to prevent discrimination on the basis of ethnicity, political opinions, religion, etc.? Customers will have the right to object to automated decisions, asking instead for human intervention. Related: Using AI and automation to transform claims handling At minimum, insurers will have to facilitate non-automated pricing decisions and make factors influencing algorithmic decisions clear. |

Fraud and claims

Data is the cornerstone of fraud detection. Not only do insurers rely on their own first-party data for fraud prevention, they also share information across agencies such as the Insurance Fraud Bureaus (IFBs) and Comprehensive Loss and Underwriting Exchange (C.L. U.E.). These agencies collect and store customers' personally identifiable information, including criminal histories, claims history, etc. In most cases, insurers themselves contribute customer information to the agencies in addition to receiving it. While the industry awaits clarification regarding acceptable uses, it's clear that insurers will have to explain what information they're sharing, how they're using agency information, and possibly defend the necessity to do so. The right of a customer to be forgotten, e.g., demand erasure of their personal data, also raises questions. Removing claims loss data or fraud reports will make it difficult to detect and stop fraudulent activities (particularly for repeat offenders), and the industry is working with regulators on this issue. Claims processing also will be impacted, as insurers routinely work with third parties (suppliers, mechanics, repair services, etc.) to complete claims. At minimum, insurers will be on the hook to ensure that, when they pass customer information to suppliers, those companies also apply the mandated GDPR protections. If a customer asks to be forgotten, the insurer will have to ensure the information is erased not only from its own databases but also from third-party databases, which will not be an easy task. Regardless of the sentiment this legislation generates, one thing is clear: GDPR will have a profound impact on the insurance industry and finance businesses worldwide. This impact will force insurers to re-evaluate both analysis and data collection practices, and customer communications. Complying with GDRP also may spur insurers to forge close partnerships between their business units, IT, and security or privacy departments. Lisa Loftis is a thought leader on the SAS Best Practices team, where she focuses on customer intelligence, customer experience management, and digital marketing. She is co-author of the book, Building the Customer Centric Enterprise. She can be reached at [email protected]. https://twitter.com/lisamloftis | https://www.linkedin.com/in/lisaloftiscrmcem See also: Cyber risk management a top priority as companies prepare for GDPR How to bridge the insurance industry technology gap