Think GDPR doesn’t apply to you? Don’t be so sure
Many companies have no plan for GDPR, because they do not believe that it will apply to them. That's a mistake.
I recently wrote about the considerable impacts that the Global Data Protection Regulation (GDPR) will have on insurers. GDPR will touch virtually every function within insurance companies including IT, marketing, claims, pricing and underwriting, and fraud prevention.
Despite this month’s compliance deadline and its significant impact, many companies have no plan for GDPR, because they do not believe that it will apply to them. NTT Security found that four in 10 companies globally feel this way, with 75% of US businesses indicating that their companies would not be affected. This is a mistake.
If you do business with EU residents, those residents can demand protections. According to Globe Newswire, 52% of US businesses possess data on EU residents. American expats who still own houses in the US, EU citizens with vacation property — all with homeowners insurance — are a few glaring examples.
More significant, American consumers are raising their privacy expectations. Facebook and Cambridge Analytica brought this issue roaring into the minds of legislators and US citizens alike. GDPR specifically may not hit the majority of US companies in the immediate future, but you can bet something similar will. If nothing else, consumers will demand changes and migrate their business to companies who comply. It will pay to be ready, and understanding basic GDPR mitigation steps is a good start.
See also: GDPR is here: Mess up and we’ll fine you, warns EU privacy chief
The role of data governance and IT
GDPR requires that customers be able to access data held, rectify errors and request erasure of personal information. This means that should a customer ask, the company must be able to:
- Find all personal data, despite the fact that it may exist in multiple databases, with third-parties (agencies, repair shops, re-insurers) or in spreadsheets on a desktop (a probable no-no under GDPR);
- Show it to the customer; and
- Correct any errors held therein. In addition to traditional metadata on quality, lineage, and definitions, other metadata will be required to track opt-ins and usage.
For those insurers with well-developed data governance, the good news is that this type of tracking, quality control and IT architecture design is tailor-made for data governance programs. GDPR provides a trigger for stepping up data governance and for business units to take an active and vocal role in shaping governance activity.
For those lagging in data governance, they can prepare now:
- Conduct an impact assessment to determine what personal data is collected, where it is stored, how it is used (in conjunction with the business units), and where the compliance risks exist.
- Review existing governance policies and data management processes to ensure coverage of personal information data and incorporate conditions stipulated by GDPR.
- Work with the systems designers and architects to validate that enterprise application architecture standards facilitate the integration necessary to comply (e.g., creating that elusive 360-degree customer view and cascading personal information data changes across all systems).
- Ensure that there are business owners and data stewards for all data covered under GDPR.
- Procure the toolsets, define the business processes that facilitate common definitions and data quality standards, and proactively monitor the state of the data covered under GDPR.
- Allocate both funding and resources to modify systems as needed. Most of insurers will require system changes.
- Coordinate with the security representative on the governance committee to review existing company privacy and security policies to verify they have the rigor demanded by GDPR.
The role of the business units
Specific GDPR provisions could spell trouble for increasingly data-driven insurance business practices: that consumers provide clear and unambiguous consent for all data collection, use and storage; that the data collected is reasonable for the consent given; and that consumers have the right to ask for human intervention in automated decisions.
Immediate steps businesses should take include:
- Review all consent practices to ensure consumers understand what they are giving consent for, and that consent can be tracked and audited. Because many companies use blanket opt-in consent practices, or assume consent is provided for all uses as a part of the insurance contract, this provision will likely require new business processes and systems modifications.
- Take a hard look at the personal information collected to make sure it fits the “reasonable use” provision — that it is really needed for the areas where consent has been given. This provision may hit insurers hard, as big data fuels the quest for more granular risk and pricing segments. Fraud analysis that mines social media posts for questionable claims, underwriting using non-traditional insurance information such as credit history or health records, and telematics collected without the customer’s consent may all become problematic. Much depends on how regulators enforce the reasonable use clause or, in the case of US companies, what, if any, new regulations result from the increasing focus on data privacy. At minimum, insurers should understand what data is used and be prepared to discuss both why it is needed and the benefit it brings to their customers.
- Develop processes for accommodating human intervention into automated decision processes and for explaining to consumers how their personal information is being used from a profiling and analysis perspective. If customers ask, insurers must be prepared to explain.
For any company falling under the direct auspices of GDPR, these steps are must-do for compliance. For those anticipating tightening regulations, these steps will put them ahead of the game and could quite possibly provide an edge in attracting privacy-savvy customers.
Lisa Loftis is a thought leader on the SAS Best Practices team, where she focuses on customer intelligence, customer experience management, and digital marketing. She is co-author of the book, Building the Customer Centric Enterprise. She can be reached at Lisa.Loftis@sas.com.
See also:
The GDPR cyber insurance checklist: Are you covered