I recently wrote about the considerable impacts that the Global DataProtection Regulation (GDPR) will have on insurers. GDPR willtouch virtually every function within insurance companies includingIT, marketing, claims, pricing and underwriting, and fraudprevention.

Despite this month's compliance deadline and its significantimpact, many companies have no plan for GDPR, because they do notbelieve that it will apply to them. NTT Security found that four in10 companies globally feel this way, with 75% of US businessesindicating that their companies would not be affected. This is amistake.

If you do business with EU residents, thoseresidents can demand protections. According to Globe Newswire, 52%of US businesses possess data on EU residents. American expats whostill own houses in the US, EU citizens with vacation property —all with homeowners insurance — are a few glaring examples.

More significant, American consumers are raising their privacy expectations. Facebook and CambridgeAnalytica brought this issue roaring into the minds of legislatorsand US citizens alike. GDPR specifically may not hit the majorityof US companies in the immediate future, but you can bet somethingsimilar will. If nothing else, consumers will demand changes andmigrate their business to companies who comply. It will pay to beready, and understanding basic GDPR mitigation steps is a goodstart.

See also: GDPR is here: Mess up and we'll fine you, warns EUprivacy chief

The role of data governance and IT

GDPR requires that customers be able to access data held,rectify errors and request erasure of personal information. Thismeans that should a customer ask, the company must be able to:

1. Find all personal data, despite the fact that it mayexist in multiple databases, with third-parties (agencies, repairshops, re-insurers) or in spreadsheets on a desktop (a probableno-no under GDPR);
2. Show it to the customer; and
3. Correct any errors held therein. In addition to traditionalmetadata on quality, lineage, and definitions, other metadata willbe required to track opt-ins and usage.

For those insurers with well-developed data governance,the good news is that this type of tracking, quality control and ITarchitecture design is tailor-made for data governance programs.GDPR provides a trigger for stepping up data governance and forbusiness units to take an active and vocal role in shapinggovernance activity.

For those lagging in data governance, they can prepare now:

• Conduct an impact assessment to determine whatpersonal data is collected, where it is stored, how it is used(in conjunction with the business units), and where the compliancerisks exist.
• Review existing governance policies and data managementprocesses to ensure coverage of personal information data andincorporate conditions stipulated by GDPR.
• Work with the systems designers and architects to validate thatenterprise application architecture standardsfacilitate the integration necessary to comply (e.g., creating thatelusive 360-degree customer view and cascading personal informationdata changes across all systems).
• Ensure that there are business owners and data stewards for all datacovered under GDPR.
• Procure the toolsets, define the business processes thatfacilitate common definitions and data quality standards, andproactively monitor the state of the data covered under GDPR.
• Allocate both funding and resources to modify systems asneeded. Most of insurers will require system changes.
• Coordinate with the security representative on the governancecommittee to review existing company privacy and security policiesto verify they have the rigor demanded by GDPR.

The role of the business units

Specific GDPR provisions could spell trouble for increasinglydata-driven insurance business practices: thatconsumers provide clear and unambiguous consent for all datacollection, use and storage; that the data collected is reasonablefor the consent given; and that consumers have the right to ask forhuman intervention in automated decisions.

Immediate steps businesses should take include:

• Review all consent practices to ensure consumers understandwhat they are giving consent for, and that consent can be trackedand audited. Because many companies use blanket opt-in consentpractices, or assume consent is provided for all uses as a part ofthe insurance contract, this provision will likely require newbusiness processes and systems modifications.
• Take a hard look at the personal information collected to makesure it fits the “reasonable use” provision — that it is reallyneeded for the areas where consent has been given. This provisionmay hit insurers hard, as big data fuels the quest for more granular risk andpricing segments. Fraud analysis that mines social media postsfor questionable claims, underwriting using non-traditionalinsurance information such as credit history or health records, andtelematics collected without the customer's consent may all becomeproblematic. Much depends on how regulators enforce the reasonableuse clause or, in the case of US companies, what, if any, newregulations result from the increasing focus on data privacy. Atminimum, insurers should understand what data is used and beprepared to discuss both why it is needed and the benefit it bringsto their customers.
• Develop processes for accommodating human intervention intoautomated decision processes and for explaining to consumers howtheir personal information is being used from a profiling andanalysis perspective. If customers ask, insurers must be preparedto explain.

For any company falling under the direct auspices of GDPR, thesesteps are must-do for compliance. For those anticipating tightening regulations, these steps will putthem ahead of the game and could quite possibly provide an edge inattracting privacy-savvy customers.

Lisa Loftis is a thought leader on the SAS Best Practicesteam, where she focuses on customer intelligence, customerexperience management, and digital marketing. She is co-authorof the book, Building the Customer CentricEnterprise. She can be reached at [email protected].

See also:

The GDPR cyber insurance checklist: Are youcovered

GDPR noncompliance poses a real insurancerisk

Cyber ready: Companies prep for GDPRcompliance