GDPR. These letters are increasingly visible in the media. 

When it comes into force on 25th May 2018, the General Data Protection Regulation (GDPR)  will apply to all EU member states, including the UK. Its aim is to standardise and strengthen data protection for all individuals within the EU; it also addresses the export of personal data outside the EU.  GDPR will apply to any company across the globe which holds the data of EU citizens. In the UK –  Brexit aside – the government has announced its intention to align UK law with GDPR, transferring this into the UK Data Protection Bill.

There are fewer than 12 months to go. The clock is ticking!

Insurers are actively engaged in assessing and refining how they handle customer data in line with GDPR and their own know-your-customer (KYC) processes. For example, AXA has already paved the way for the wider industry,  declaring that its team should implement the GDPR guidelines with the aim of reaching the deadline in time.

Other insurance businesses are exploring ways to build GDPR compliance within the technology used by their brokers as part of the customer journey in what is being called "privacy by design." There is also "privacy by consent," enabling the customer to change settings depending on their preference. 

Not surprisingly, there are some known areas of confusion, especially how each state interprets the GDPR rules. For example, in countries like Germany, there is already a rigorous data protection regime in place. How GDPR is integrated with EU member states’ domestic legislation generally remains to be seen. Insurers who operate in different markets will either need to attempt to tier their response, as appropriate, or raise all standards to the highest denominator. Meanwhile, diverse international attitudes to data protection add an additional level of complexity.

Insurance companies do not always know what data they will need in the future. As more complex modelling systems become integral to calculations, insurers may consider that the more data they can feed in to their systems, the better service and value they can offer customers.

So, the fact that the EU GDPR gives customers a “right to be forgotten,” through data erasure or at least data obfuscation, will have implications for insurers. In the UK the government has sought  input from a range of industries, and received feedback from insurers like Aviva, Axa and BGL. The government talks about its desire to preserve the status quo as much as possible and, as such, the draft bill refers to exemptions for insurance businesses. However, there is little detail yet on what this means and how far it goes.  

It is important that insurers prepare to meet the basic GDPR requirements by ensuring they have the tools and techniques to delete data, either on an individual basis, or through mass data deletion. Beyond this, getting structures in place to allow for obfuscation will become increasingly important for insurers if they wish to continue to maximise the opportunities provided by data analysis and modelling, and build better digital businesses within this new regulatory framework.  

Yes, there is concern around interpretation. However, GDPR can be a catalyst for insurers to rethink and revitalise key systems and processes, especially how customer data is used, and to transform business engagement with customers on a personal level.

In this context, it is important to note that much of the innovation which has been pioneered by insurers over the past few years has come from the personalisation, data gathering or customer-facing parts of the industry – for example, buying hourly coverage, embedding Artificial Intelligence, or allowing customers to store their data.

It has never been more important for insurers to have good relationships with their customers; to know their customers. GDPR has the potential to become a topic of positive conversation and engagement. Aside from the fact that switching insurer (and the resulting movement of data to a new carrier is about to become easier), insurance companies need to explain to their customers what they are doing about GDPR compliance; as well as potentially handling difficult enquiries about why they hold their data. Worth serious consideration is the idea of insurers wearing GDPR compliance as a badge of honour, a demonstration that they take their customer data protection seriously, and that they can be trusted.

The GDPR is certainly a challenging piece of legislation, and the insurance industry has no choice but to get up to speed and get on with it. Insurers who prepare now, and practice good data management, will be best placed to ensure customer trust and reap the benefits. Many might also see how the overhaul of data protection laws also helps build a stronger marker for selling cybersecurity insurance policies to businesses. More about cyber in a future blog that will look at data science and machine learning in the designing of insurance products for 21st century risks.