With the shadow of the GDPR front line forming up on the horizon, the industry continues to prepare for the charge. The problem is few of the troops seem to know exactly what is coming.
It seems a slightly odd state of affairs, given GDPR was one of the most written about subjects in the insurance press in the second half of last year. Searches on Google have also maintained their steady ascent over the past twelve months.
Google searches for ‘GDPR’, past year
Google searches for ‘GDPR Insurance’, past year
Source: Google Trends, UK only
Meanwhile a LinkedIn Group ‘Data Protection and the EU GDPR’, is fast approaching a membership of 10,000. Recently, it was the source of a curious discussion initiated by our CEO, Ian Hughes, who asked whether consent to receive marketing messaging would automatically be given for customers who renew their annual policy.
Given this would apply to millions of motorists, it’s far from an edge case, and so we would expect some kind of categorical response, particularly with scarcely four months until ‘Delete Day’. Yet the feedback, if it can be taken as any kind of proxy for the market, illustrates instead the depth of the challenge ahead.
As Hughes says: “There’s some very credible sounding, but some very wrong advice” being offered.
Admittedly, a comment on LinkedIn does not constitute binding advice (and many people include the appropriate caveats), and the sample size is evidently tiny, but it is nonetheless worth noting that of the 32 people who responded, 9 said yes, emphatically consent is renewed’; 10 said no, and the remaining 13 said it either depended on circumstances, or suggested some kind of alternative. It’s also worth noting that a number of those who commented were classified as ‘GDPR consultants’; their answers were among the most nuanced of all.
Instead of getting bogged down here in details of consent, lawful basis, legitimate purpose, change of process, or whether auto renewal equates to auto consent, it is apparent that what the industry is grappling with is either tremendously complex, tremendously misunderstood or tremendously TBC. In any case, the clock is ticking.
To coin one of the great clichés (as one commentator, Richard Cliffe did) the devil really is in the detail. It’s also in the context; some of the more considered comments touch upon the application of one provision of the regulation in relation to the others. Take for example James Russell, a Legal & Contract Manager at ESP Utilities, who points out that in the new world where the data subject (i.e. you and me) is king, established notions of marketing legitimacy may no longer apply.
“There seems to be some confusion over the application of Recital 47. This should be read in conjunction with Article 6 (lawfulness of processing); particularly Article 6(f), which caveats that any supposed legitimate interest of the controller is subject to and deposed by the data subject's fundamental rights and freedoms.
“In my view there will be very few (if any) situations where direct marketing is lawful by reason of a controller's legitimate interest.”
Putting the legalese to one side, the danger appears to be willingness for some observers (including marketers) to see only what they want to see, and return to business as usual. Yet our figures suggest that the cost of having to re-acquire customers who will be assumed lost under the new regime due could be as much as £100m — and that’s before we get into any discussion of infrastructure management or punitive fines.
That isn’t to say that marketers can’t benefit. Last year we released a white paper on the subject, maintaining that GDPR was not so much a threat, but an opportunity for companies and marketing teams that have their houses in order.
Some of them are already well along that road; others will surely get there in time. What is apparent, though, is that a lot of dangerous assumptions are already being made — all too often based on the way things have always been — and any consensus, if it even exists, is not trickling down to the rank and file. Heaven only knows what that means for consumers.
To find out more, including contributing to the original discussion, please go here. To join the GDPR group on LinkedIn, which includes a more detailed analysis of consent at policy renewal, go here.
Download GDPR Delete Day Report
Data is the lifeblood of the modern insurance industry. It influences everything from pricing to claims, and insurers are constantly searching for the right data on the right customers. Without data, the insurance industry just ceases to operate.
Submit a comment