Get ready with your delete key.
The 25th of May 2018 is Delete Day, that’s the day that you are going to have to delete vast quantities of personal data you keep about your customers and former customers.
On the 25th May 2018 the new General Data Protection Regulation comes in to force. The Information Commissioner’s office (ICO) gets sweeping new powers to control the data you can get and keep from customers. And the cost of non-compliance is 4% of revenue or £16.5m (and you lose all your customer data).
We recently co-conducted a survey with fast.MAP and our research shows that, on average, only about a third of motor insurance customers will be willing to let you keep their data, so you need to get your skates on.
Data is the lifeblood of the insurance industry, whether it’s the big data used to price risk at the front end or the data held about claims at the back end, all that data is what makes the world go round. So what if you had to delete that data tomorrow? (or 365 days from tomorrow). And not just delete the data but delete any models derived from the data. And also delete any data that might not be personal but might be anonymised from personal data. All gone!
Here’s my biggest concern. As I travel around the industry and ask “What are you doing about GDPR?” Most people (who know what I am talking about) answer with “Oh, we have a committee for that?”. And usually I probe a little further into who is on the committee and hear that it is IT or Compliance or Risk.
And then I go cold.
This is the greatest challenge to the way we market, sell and administer the claims of the industry and you think this is an IT and Compliance issue?
The cost of getting this wrong is not just a £16.5m fine. It’s the cost of deleting everything. Deleting your prospect base, deleting your claims data!
I have a new word for you, re-permission – add it to your spell check!
For the next 12 months you need to focus a massive amount of your marketing effort on Re-permissioning. What is that? It is going back to everyone that you collected data about in a way that isn’t compliant with GDPR to ask them if it is OK for you to keep their information. And they have to say yes, without that there is no permission.
Imagine getting an email from an old friend you haven’t seen for years but you used to love hanging out with, they would like to stay in touch, what would you say? Now imagine getting an email from someone who you haven’t seen for years and you don’t like very much, they add no value to your life. They want to stay in touch as well, but they need your permission. Will you say yes?
The answer really is “it depends”.
In the same way as the nature of the relationship with your old friend drives whether you are willing to stay connected so it works for insurers and their brands. We have carried our extensive work looking at how different insurance brands will be affected by GDPR and the answer is that there is no single solution. It really depends. We will soon be releasing a white paper with our findings, a copy of which you can register for below.
You have one year to turn your customers from “it depends” into “yes” or else you will have to delete them.
And new customers, well they will have to consent to you keeping their data. Consent is defined as “any freely given, specific, informed and unambiguous indication by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.” Those are the words of the Regulation.
After you finish reading this go and check how you get consent. I’ve probably already read yours because I have been reading as many consent statements as I can across the insurance and banking industries. And they don’t comply. The most common mistake is that you can’t prove the person gave consent. They actually have to opt-in.
So that means the data you are collecting today and tomorrow and the next day. Well, all of that is going to have to be deleted because the law is retrospective.
Claims data? Well you might be able to claim a legitimate purpose, but you will have to make sure you balance your needs with the needs of the consumer. And any data you hold about a child, any of it, that all has to be deleted. So if a child was involved in a claim and you have their information because you paid out. Delete. If you have the information of the other driver involved in the claim and you don’t have consent to have it. Delete. Your driver also has the right to say “delete” and you have to forget them. And their claim!
I’m not saying the law is right, it’s crazy. But it will be the law in just one year.
At Consumer Intelligence we want our clients to survive and thrive in the new framework so here is some things we are doing to help:
- Collecting compliance statements as part of our market scan so you can verify that you are compliant and also see what best practice looks like.
- Partnering with companies we believe have the right toolkits to help our customers overcome the repermissioning barriers
- Tracking and monitoring consumers and their preferences to get an insight on how their mood is changing.
- Building a test framework so you can prove that the “right to be forgotten” and “right to transfer” are being properly enforced.We will be able to certify your compliance for the regulator.
To be clear our research shows that there are some things that brands can do to gain a distinct advantage in this process but not every brand is starting in the same place. Some companies are going to have to work a lot harder and they need to start now.
Data is the lifeblood of the modern insurance industry. It influences everything from pricing to claims, and insurers are constantly searching for the right data on the right customers. Without data, the insurance industry just ceases to operate...