As the world progresses down its path of digital evolution, issues around data privacy and protection are increasingly amplified. Internet-enabled social networks, mobile applications, e-commerce and business platforms are collecting and analyzing citizen and consumer data in monumental proportions. This is often without consumers being fully aware of the practice.
For many organizations, the collection and monetization of personal data is a core business practice. They use personal data to boost sales, improve the customer experience and to target their marketing. Some business models rely on selling access to this data to external advertisers who then target consumers with tailored advertising.
However, with a new data privacy breach hitting the global headlines every day, consumers are becoming increasingly concerned about how their personal data is being stored and processed. This great societal shift around the notion of digital privacy has been recognized by policy makers and regulators in the shape of strict new rules and regulations.
On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) came into effect. As the strongest data protection regime in the world, the GDPR has extra-territorial reach that applies strict regulation upon any company offering goods or services to EU residents or monitoring the behavior of EU residents. The GDPR is built around the concept of ‘consent,’ meaning consumers have more power to determine what happens with their personal data. For example, they have the right to be forgotten and the right to access any information a company holds on them within one month of asking.
Insurance is and always will be a data industry. It’s a vital component across the entire insurance value chain, from prospecting, to marketing, to underwriting, to claims and so on. Data is the air the insurance industry breathes, and yet the industry must be cautious and abide by the consumer protection laws coming into force around the world.
“As insurers, data is the foundation of everything we do. We would certainly be nervous about the introduction of a law that might deny access to the data we need to underwrite our products effectively,” said Nat Wienecke, senior vice president for federal government relations at the Property Casualty Insurers Association of America (PCIAA).
The US does not yet have a GDPR-style federal privacy law. However, Congress has started laying the ground-work for a national privacy law. The Trump White House said this summer that the administration is meeting with companies and other interested parties to hopefully come up with a policy that’s “the appropriate balance between privacy and prosperity,” according to White House spokeswoman Lindsay Walters.
At present, individual states are enacting their own privacy protections. In 2020, the California Consumer Privacy Act (CCPA) will come into effect. It has been described as being similar to GDPR in that it will compel companies to tell customers upon request what personal data they’ve collected, why it was collected and what types of third parties have received it.
However, senior executives at firms like AT&T, Amazon, Apple, Google, Twitter and Charter Communications have appealed to Congress against the inconsistency of state privacy laws like the CCPA and have all come out in support of a federal proposal, according to the Associated Press.
“I think there’s a lack of knowledge among the average consumer about how much information is essentially publicly available on any one individual person,” Wienecke told Insurance Business. “By introducing the GDPR, Europe is at the tip of the sphere in terms of who owns personal data and what can be legally done with it. The US hasn’t really answered some of these questions yet.
“Lots of consumers don’t realize that you can buy specific consumer data in the same way that you can buy food at a grocery store. There’s a lack of awareness around that, and as our country debates what that means, I think our primary view as an insurance industry is that we need to be able to have data in order to understand risk. Because of this data, we’re starting to see some really innovative risk models around the world, which is allowing insurers to experiment with different underwriting criteria and is enabling progression in the industry.”
Enforcement of a GDPR-style national privacy law in the US would require a considerable cultural shift, according to Charlotte Warlock, senior associate at Clyde & Co. She said: “It’s a very challenging concept for some US tech companies [and data-reliant industries] to have to disclose what they’re doing with your personal data.
“I was at an insurance conference recently in California and we were discussing the California Consumer Privacy Act. One of the queries from the audience was: ‘What if I don’t want to tell you what personal data I have on you? And, what if I don’t want to delete it? Surely I should be able to make money from this.’ That’s where it’s going to be culturally quite challenging to get companies to see that they should be protecting people’s rights and people’s privacy rights in particular.”
Stricter privacy laws won’t just impact the insurance industry; they will also impact insurance consumers. Insurers are in a dynamic position where they must comply themselves and also advise others around best practices.
“Insurers and brokers need to encourage insureds to institute a proper plan and to look at what data they’ve got and what they’re doing with it,” Worlock added. “Do they have a proper procedure in place to respond to data subject access requests? Have they considered their breach notification plan? Have they considered how quickly they can respond to the discovery of a breach and mitigate their regulatory liability by making sure they do everything on time? By having proper processes in place, a lot of insureds would reduce that liability.”