Think GDPR doesn’t apply to you? Don’t be so sure

Many companies have no plan for GDPR, because they do not believe that it will apply to them. That's a mistake.

If you do business with EU residents, those residents can demand protections. (National Underwriter Property & Casualty magazine)

I recently wrote about the considerable impacts that the Global Data Protection Regulation (GDPR) will have on insurers. GDPR will touch virtually every function within insurance companies including IT, marketing, claims, pricing and underwriting, and fraud prevention.

Despite this month’s compliance deadline and its significant impact, many companies have no plan for GDPR, because they do not believe that it will apply to them. NTT Security found that four in 10 companies globally feel this way, with 75% of US businesses indicating that their companies would not be affected. This is a mistake.

If you do business with EU residents, those residents can demand protections. According to Globe Newswire, 52% of US businesses possess data on EU residents. American expats who still own houses in the US, EU citizens with vacation property — all with homeowners insurance — are a few glaring examples.

More significant, American consumers are raising their privacy expectations. Facebook and Cambridge Analytica brought this issue roaring into the minds of legislators and US citizens alike. GDPR specifically may not hit the majority of US companies in the immediate future, but you can bet something similar will. If nothing else, consumers will demand changes and migrate their business to companies who comply. It will pay to be ready, and understanding basic GDPR mitigation steps is a good start.

See also: GDPR is here: Mess up and we’ll fine you, warns EU privacy chief

The role of data governance and IT

GDPR requires that customers be able to access data held, rectify errors and request erasure of personal information. This means that should a customer ask, the company must be able to:

  1. Find all personal data, despite the fact that it may exist in multiple databases, with third-parties (agencies, repair shops, re-insurers) or in spreadsheets on a desktop (a probable no-no under GDPR);
  2. Show it to the customer; and
  3. Correct any errors held therein. In addition to traditional metadata on quality, lineage, and definitions, other metadata will be required to track opt-ins and usage.

For those insurers with well-developed data governance, the good news is that this type of tracking, quality control and IT architecture design is tailor-made for data governance programs. GDPR provides a trigger for stepping up data governance and for business units to take an active and vocal role in shaping governance activity.

For those lagging in data governance, they can prepare now:

The role of the business units

Specific GDPR provisions could spell trouble for increasingly data-driven insurance business practices: that consumers provide clear and unambiguous consent for all data collection, use and storage; that the data collected is reasonable for the consent given; and that consumers have the right to ask for human intervention in automated decisions.

Immediate steps businesses should take include:

For any company falling under the direct auspices of GDPR, these steps are must-do for compliance. For those anticipating tightening regulations, these steps will put them ahead of the game and could quite possibly provide an edge in attracting privacy-savvy customers.

Lisa Loftis is a thought leader on the SAS Best Practices team, where she focuses on customer intelligence, customer experience management, and digital marketing. She is co-author of the book, Building the Customer Centric Enterprise. She can be reached at Lisa.Loftis@sas.com.

See also:

The GDPR cyber insurance checklist: Are you covered

GDPR noncompliance poses a real insurance risk

Cyber ready: Companies prep for GDPR compliance