Tag Archives: EU

What GDPR Means for Insurance Companies

GDPR (General Data Protection Regulation) took effect in Europe on May 25 — and is expected to create a ripple effect that affects U.S.-based organizations, regardless of whether they have European operations.

This is the most significant data privacy regulation ever – the EU views this as a human rights issue. The recent Facebook issues will accelerate GDPR acceptance here in the U.S., and it is up to insurance agents and carriers to be sure they are in compliance with all applicable laws and regulations in the U.S. and in Europe.

GDPR was enacted to further protect the rights of individuals in controlling how their personal data is shared. Many expect further regulations to come to the U.S., along with stiffer financial penalties for those organizations that do not comply.

But there are those in the insurance industry who see this as the “starting gun” not “the finish line.” The reality for most U.S. business, insurance companies and others is that GDPR will become the global standard for how businesses must handle consumer data, and it will set new benchmarks for consumer data privacy.

GDPR will have a positive impact for both the business/marketer and the consumer.

This can become an incredible opportunity for U.S. companies that choose to embrace GDPR. Instead of something scary and negative, it can become a great opportunity that they can use to challenge themselves to build tools and processes to maintain smarter marketing and more personalized and predictive communications with customers.

As consumers begin to understand the advantages to them, they will likely prefer to work with and share their consumer data with compliant companies. Rather than waiting and wondering, companies need to take the steps necessary to comply. If it’s great for the customer, and if businesses lead the way, it will end up being great for the company.

See also: How GDPR Will Affect Insurance 

First, insurance companies will need to take steps to comply with the legislation so they will not be open to stringent financial penalties. They must begin by working with their legal team and GDPR experts to appoint a company representative who is established in an EU supervisory country. This person is the point of contact for all communications with the GDPR supervisory body.

Not all organizations need one, but if it’s required, appoint a Data Protection Officer who has the expertise needed. This person can help redesign what consent and disclosure looks like for customers. Consumers will need to check a box (or its equivalent) for every single use case of their data. They need to be able to select those they agree with and decline those they don’t, and companies need to be able to comply and track their preferences in their systems.

Insurance companies also need to consider third-party providers, as well. If a third party is not able to prove GDPR compliance, the EU work it does is illegal. Companies should audit their third-party providers and reevaluate service level agreements.

Companies also need to work within the GDPR regulations and still be able to have a “good client experience” and grow and find and retain new customers with the new law that is a game changer for the way they do business now.

Moving forward, companies will need to be much more aware of their audiences’ tolerance for marketing. Companies that have been careless by oversaturating their audiences with irrelevant marketing will lose the privilege to market to those customers.

Consumers want information and marketing that is timely and relevant. Technology companies have tools available for clients that account for marketing saturation modeling and use dynamic marketing workflows. Their audiences should receive the “Goldilocks” amount of marketing – not oversaturated, but enough to maintain brand awareness and positive disposition when they are in the position of making a buying decision.

The positive impact for insurance industry will be that GDPR compliance forces companies to implement data storage and processing and marketing “best practices.” Once a consumer asks to be forgotten, companies must remove all the person’s data. Not just take people off an email list, or a call list, but delete all their preferences, history and contact information.

Businesses that comply with GDPR will reap the benefits of better consumer confidence. Additionally, the practice of impeccable data security demands migrating customer data to the latest network technology. The long-term benefit of storing and running data using the best and most current technology reduces overall digital footprint.

But how companies use technology to retain brand awareness and win and keep customers without becoming a nuisance at a permanent cost will be a challenge. Achieving and retaining brand awareness without irritation becomes a balance of just the right messaging, via the right channel at the right time.

See also: How to Avoid Being Bit by GDPR (Part 1)

We are proponents of human engagement and realize that all the AI in the world cannot replace human connections. We also realize that the human connection is invaluable and that marketing communications coming from a trusted adviser versus a faceless organization elevates the message.

More than ever, companies need to rely on marketing acceleration models that induce a repeatable pattern of activity, garnered from AI and machine learning to create marketing workflows that enable individuals at a company to have personal connections, smarter marketing, more personalized and predictive customer experiences and better sales outcomes.

Technology can help companies achieve one-on-one interactions and make them more confident that what they say and show is relevant and tailored to their client.

How to Avoid Being Bit by GDPR (Part 2)

This is Part Two of a two-part series focused on helping data insight leaders plan for GDPR. Find the first part here

With the EU-approved General Data Protection Regulation (GDPR) set to be implemented in the U.K. on May 25, 2018, GDPR must be a consideration for all insight leaders.

In the first post, we focused on needing to check your potential exposure with regard to these topics:

  • Higher standard of what constitutes consent;
  • Challenges if using “legitimate interest” basis;
  • Permission needed for profiling and implications; and
  • Data impact of people’s right to be forgotten.

Is there more to GDPR than that?

I mentioned in my first post that I was concerned about an apparent complacency regarding GDPR readiness. After talking further about this with some leaders, I believe that one cause is risk and compliance teams advising that GDPR isn’t as bad as feared. This means there’s a danger of potential threats “falling between two stools.”

Let me explain.

From a risk-and-compliance perspective, many of the principles in GDPR aren’t hugely different from the existing U.K. Data Protection Act. Many of the changes come through greater evidence requirements and more specific guidance regarding what is expected in specific situations. For that reason, I can understand compliance experts not seeing the need for vastly different paperwork. However, leaving such an assessment to that team risks missing critical implications.

One of the reasons that insight leaders and data teams should get involved in discussions about GDPR is to spot technical/data/system implications of change. What may seem to be simply a clarification of language to a compliance expert sometimes has far-reaching implications for company data models and how data will be used or stored — for instance, the rights mentioned in Part One with regard to withdrawing permission for profiling (or the “right to be forgotten”). Most businesses’ existing data models will not currently cater to the new fields, and separation of records is required.

So, although wading through EU legal language may not sound like a fun day out, it’s worth data insight leaders and their teams talking through practical implications with their risk and compliance advisers.

Here are some other considerations for you to discuss.

Data model impacts from GDPR

The reason for titling this topic “Data model impacts” rather than “Database impacts” is our advice to maintain up-to-date data models for your business that give you independence from specific IT solutions. Whatever this is called, data insight leaders will want to identify any impacts to their data structures and any changes that may be needed to enable compliance ASAP.

See also: Missed Opportunity for Customer Insight

In our first post, we touched on both the need for consent (to marketing and profiling) as well as the need for evidence of this. There are further considerations.

Applying meaningful data-retention policies that can be justified as reasonable requires knowing the recency of such consent. In addition, data-controller responsibilities require the capturing and storage of consent data within any third-party sources of personal data.

Even the current Information Commissioners Office (ICO) guidance (before it was updated for GDPR) makes clear:

  • “Organizations should therefore make sure they keep clear records of exactly what someone has consented to.”
  • “Organizations may be asked to produce their records…”
  • “Organizations should decide how long is reasonable to continue to use their own data and more importantly a third party list.”
  • “As a general rule… it does not rely on any indirect consent given more than six months ago.”

Do your data models capture that granularity of data permission (what and when) and hold it against both internally captured personal data and any you may have purchased from third parties?

Data Protection Impact Assessments (DPIAs)

Data and analytics leaders within businesses often complain to me about not being consulted by internal project teams. It seems all too often the data implications of projects (especially on downstream systems like data warehouses) aren’t considered or are de-scoped from testing. This can result in considerable rework and in the worst cases to inappropriate marketing or customer contact.

Data Protection Impact Assessments (DPIAs) are intended to protect against such unintended data changes. Previously only recommended by the ICO, the GDPR is more explicit in what is expected:

“DPIAs to be carried out if the planned processing is likely to result in a high risk to rights and freedoms of individuals — including where processing involves ’new technologies’ or ‘large-scale processing.’”

So, what do you need to do for a DPIA? Basically, it’s an investigation to identify how such risks will be mitigated. Could the planned systems changes produce effects on either data stored or on use of data that would breach the GDPR? Is monitoring required to avoid this? Given that the ICO is due to publish a list of the kind of processing operations that require DPIAs, it’s worth planning for them.

As a quick checklist, you should seek to answer these questions regarding your DPIA:

  • What is the possible risk to individuals from changes (to systems, processes, etc.)?
  • What is the risk of non-compliance with GDPR? (Consider all the topics in our two posts.)
  • Which principles and regulations might be breached?
  • Is there any associated organizational risk? (E.g. reputations at risk if goes wrong?)
  • Who should be consulted? (This includes third parties and teams using personal data.)

One final point:  Within the GDPR guidance, there’s also an expectation of being “designed for compliance.” There’s far less tolerance for new systems not being designed to store and use data in line with GDPR rules. So, it’s well worth reviewing any current and planned projects to ensure they are allowing for the data fields and checks that will be required. Don’t try to use the opportunity to blame legacy systems.

Record-keeping and contracts (What should these cover?)

Financial services firms will be used to the record-keeping requirements from other regulations (including FCA’s Conduct Risk). Another area where GDPR goes further than previous rules is in the expectation of records being kept. If a data controller or data processor has more than 250 employees, “detailed records of the processing” need to be kept. SMEs (fewer than 250 employees) are generally exempt, unless the processing carries a “high privacy risk” or involves “sensitive data.”

So what records must you keep?

As a rough guide, it’s high-level records on policies and people, including:

  • Name and contact details of data controllers and DPOs (more about them soon);
  • Purpose of processing;
  • Classes of data (e.g. personal, sensitive, product, etc.);
  • Details of recipients of data;
  • Details of any overseas transfers;
  • Data retention periods (replying on date stamps on data items); and
  • Security measures in place (data access, authentication, etc)

As an aside for insight leaders, recognizing the need to keep all these records prompts me to speak up about the need for better knowledge management solutions. Previously, I made a plea for more emphasis on metadata. Given that insight leaders also have a challenge to retain analysts and the insights they have gleaned while working there, an easy way to store insights and data as well as data about data is clear. However, despite years of variants of database, intranet, groupware and other potential solutions, most businesses still lack a routinely used knowledge management solution. I hope the success of products such as Evernote will prompt more complete solutions.

Data Protection Officers (DPOs) (Do you need one, and what should they do?)

Over the course of reading these two posts on GDPR, you may be beginning to wonder who carries the can. In other words, who is liable to go to jail or be prosecuted if this work is not done? The answer, for many firms will be the Data Protection Officer (DPO). Far from being a scapegoat, the DPO is intended to be the internal conscience — akin to an internal audit role in helping prevent breaches.

The ICO was previously silent on any formal need for such a position, despite the growing popularity of appointing Chief Data Officers (CDO). At one stage, it was expected that GDPR would require every organization to have a DPO, but the final wording was more tolerant.

The following have to have DPOs:

  • Organizations where processing is “likely to results in a risk to data subjects”;
  • Organizations involving large-scale monitoring or sensitive data (ICO guidance should clarify); and
  • Public authorities or bodies.

A DPO is required to have the requisite data skills, and their details should be published to encourage contact with data subjects. But there are also protections to ensure the DPO isn’t brought under undue internal pressure. The DPO isn’t to be instructed how to carry out the duties. DPOs may not be dismissed or penalized for performing their tasks, and they have to report directly to the highest level of the organization. Given that freedom and responsibility, it isn’t surprising that a number of businesses will ask their CDO to take on the DPO role, as well.

See also: It’s Time for a New Look at Metadata  

What are DPOs expected to do, then, if they can’t be over-guided internally? Well, this:

  • Inform and advise data controllers to ensure compliance;
  • Monitor compliance with GDPR;
  • Provide advice to others where requested (e.g. DPIAs); and
  • Cooperate with the ICO, including notifying the ICO about any breaches.

Given all the concerns, it’s not surprising to see a growing industry of data breach insurance. However, it’s worth reading about the requirements. Many require very stringent internal controls and may not pay out if any insider collusion is identified.

How are you preparing? Do you have any tips?

Only time will tell how the ICO operates under these regulations and how firms respond. So, it’s the start of a journey — but I encourage all data insight leaders to start that journey ASAP.

Please do also share what has worked for you. What have you found useful in thinking through the implications for your organization? Are there any tools or tips and tricks that you’d recommend?

As ever, we’d like to encourage the Customer Insight Leader community to share best practice and help improve our profession.

For further information — and perhaps a next step — I’d recommend the training and certification provided by the IDM. I’ve completed both and found them very useful.

Insurers’ Call Centers: a Cyber Weakness?

Two years ago, the New York State Department of Financial Services (DFS) released a report on cybersecurity in the insurance sector after surveying 43 insurers with more than $3.1 trillion in assets. The report revealed that 35% of these companies experienced between one and five data breaches within the previous three years. This statistic represents only confirmed breaches (not attempted attacks), and the consequences for affected insurers included actual financial losses from lost customer business, legal defense and damaged brand reputation.

Fast forward to today, and it’s no surprise that the DFS is preparing to launch a new regulation on March 1 that requires banks, insurance companies and other financial services institutions it regulates to establish and maintain a cybersecurity program. The first of its kind in the U.S., this regulation aims to protect New York consumers and financial institutions from the ever-growing threat of cyberattacks. But, like any other industry-wide regulation, this proposed mandate is not without its challenges.

See also: 10 Cyber Security Predictions for 2017  

A key provision in the proposal is the requirement for encrypting non-public information (NPI) — such as payment card numbers, Social Security numbers (SSN), drivers license numbers and other security codes, both in-transit and at-rest. For insurance companies that routinely capture and store this information in their call centers and other areas of business, protecting NPI will be especially challenging. Most insurers record customer calls, thereby housing payment card numbers and other NPI in their physical and IT infrastructure. While many insurers utilize the practice of “stop/start” to block this data from recordings, this method creates additional security and governance concerns. Insurers that need to record 100% of calls to demonstrate compliance to other existing legislation and are using stop/start are now not recording the entire call. That not only means that they are not compliant but that they are also opening up opportunities for illicit activity to occur while the call is stopped. Yes, NPI is kept out of the call center’s infrastructure, but it is still exposed to agents — further complicating the entire effort to secure customer data. Data will also still need to be encrypted, meaning stop/start isn’t enough….

The most effective way to protect sensitive information, eliminate insecure practices and resolve broken processes to avoid potentially costly penalties and a tainted brand reputation is to abide by the saying: “They can’t hack what you don’t hold.” In short, keep NPI and other sensitive data out of the call center altogether. Insurers should implement a solution that encrypts data as it is collected and in-flight, as well as reducing stockpiles of data at rest that is just waiting to become exposed in the next big breach.

Despite the undoubted challenges it will bring, the New York DFS cybersecurity regulation is a step in the right direction because it starts to create much-needed standardization in the way insurers and their call centers handle sensitive information. To emphasize this point, we recently spoke with call center agents at 10 of the leading U.S. insurance companies. We found that there is a lack of a uniform approach in data security measures, especially when it comes to how sensitive information is removed from call recordings (and those insurers using stop/start still have NPI data elsewhere in the estate and are now not recording 100% of calls). Agents gave a wide range of answers — from using stop/start, to redacting information after the fact, to deleting the full recording after 30 days. This is in sharp contrast to the U.K., where a growing number of call centers are adopting an operating procedure that uses dual-tone multi-frequency (DTMF) masking and a secure, separate environment for encrypting data. Shouldn’t all insurers handle their data in the same, secure manner?

See also: Data Security Critical as IoT Multiplies  

While the New York DFS regulation is the first of its kind, it most certainly won’t be the last. We will now likely see other cybersecurity regulations crop up in the coming years that help standardize how financial institutions secure their data. Because this regulation affects all who conduct business in New York, it draws parallels to the pending EU General Data Protection Regulation (EU GDPR). Taking effect in May 2018, the EU GDPR will affect all businesses that hold or process data pertaining to EU citizens — no matter where they reside. Indeed, we are seeing all signs pointing toward greater standardization of data security across industries and borders. Insurers in New York and beyond must begin looking at solutions — now — to help simplify their compliance efforts and protect their customers and their reputations.

Why Customer Focus Isn’t Enough

It’s supremely intuitive that customer focus is the key to business success. It is also something that industries that have typically focused on products or distribution are now aware they need to change. Bravo!

However, how many leaders are really harnessing the full power of customer focus? If after reading that question you immediately thought “big data,” please stop, put your smartphone down and back away from the table. This is not the kind of power I am talking about.

The type of customer focus that I am talking about is better referred to as customer care — not just caring for customers, but caring about them. Maybe a good way to describe this would be customer indebtedness. These are companies that truly live, breathe and feel grateful for their customers, and put them above all else. Very few companies actually do this. They may say it, but being it is completely different.

See also: How to Bottle Great Customer Experience  

I was inspired while attending a recent LIMRA conference in Barcelona. One of the speakers, Artemis Pantelidou, general manager from EuroLife, owned by the Bank of Cyprus, humbly told the story of how her company was on the brink of collapse during the economic crisis in 2013 when Cyprus faced an EU and IMF bailout.

EuroLife was damaged by these market conditions. People were panicked. They wanted (and oftentimes needed) their money, and the company faced the risk of losing a significant amount of its customers, thereby jeopardizing its financial position for those who stayed.

However, it weathered the storm by staying focused on the customer and doing everything it could to make sure its customers were taken care of. It was in constant, open, honest dialogue with its customers, employees, agents and regulators. The company asked for all constituents to stay focused on customers and find new and different ways to satisfy as many as it possibly could. While some suggested it shut down to prevent a “run,” the way banks and stock markets do, Pantelidou insisted that EuroLife stay open for business and deal with each situation one customer at a time. After all, an insurance company is there to help with risk, not run away from it. Once customers understood the situation and how it could hurt so many people, they were even more grateful the company did so much to help them. And the storm passed.

When it was time for the Q&A segment of the presentation and attendees were looking for the magic bullet that helped EuroLife persevere, Pantelidou repeated that there was no more to success than doing what’s right for the customer — each customer. She gave credit to her leadership team and to everyone who worked together, but that was it. Without saying these words specifically, the sentiment was that the company owed a debt of gratitude to its customers, whether they stayed or didn’t stay.

They emerged stronger than ever, with advantages in the following areas:

  1. Leadership team’s trust and respect for each other
  2. Employee respect for leadership
  3. Customer loyalty
  4. Confidence in team’s abilities to handle volatility and uncertainty
  5. Regulators’ trust
  6. Public image
  7. Ability to innovate solutions

While nobody wishes to have an experience like EuroLife’s to achieve a competitive advantage, what lesson can be learned in the chaos of the everyday?

See also: How to Get Broader View of Customers  

If your company seems to be wrestling with any of the seven issues above, running around frustrated with leadership alignment, uncertainty or business barriers to innovation, perhaps adopting an attitude of customer indebtedness now could help your culture overcome those issues sooner rather than later. If you are longing for the everyday chaos to calm down before you can adopt this attitude, you’ll need a real crisis to break the cycle. Why wait?

What Happens if U.K. Exits the E.U.?

On June 23, 2016, the U.K. population will vote on whether to stay a part of the E.U.’s 28 countries or to leave. It’s a once-in-a-generation decision, and it is likely to dominate U.K. press for the next six months. But what impact would a British exit, or “Brexit.” have on the insurance industry?

A report by Euler Hermes, a consultancy backed by Allianz, indicates this exit would include:

  • Massive loss of U.K. exports, which could take 10 years to recover
  • A heavy hit to financial services
  • London’s loss of its supremacy as a financial center
  • The likelihood that trade barriers would be imposed by continental Europe

Global insurers would inevitably be affected. Zurich Financial Services says it is “monitoring developments carefully.” The AXA chief executive described the situation as the U.K. “playing Russian roulette” and predicted a severe negative impact on London. Moody’s says the U.K.’s credit rating would be hurt.

Despite the recent challenges of Solvency 2, the argument that there will be less regulation if the U.K. leaves the E.U. doesn’t hold weight with Lloyd’s of London, whose Chief Risk Officer Sean McGovern recently said, “None of the alternatives will be as beneficial for the London market as the current relationship.”

Companies are already indicating they will need to make stockholders aware of the consequences of leaving—if only to avoid directors and officers (D&O) claims down the line. Because most annual reports are published only months before the vote, there’s likely to be a swell of activity; social media analytics measuring citizen sentiment will have a field day.

In October 2015, U.S. administrator Michael Froman ruled out a separate trade deal with the U.K. in the event that it leaves the European Union. He said, “We have no free trade agreement with the U.K., so it would be subject to the same tariffs—and other trade-related measures—as China, or Brazil or India.”

At face value, staying in the E.U. seems like an obvious choice, especially as the U.K. population—like the insurance industry—is risk averse and often reluctant to change. But there are other issues at play here, especially those regarding the emotional response.

Some are suggesting that London would be at greater risk of terrorism if the U.K. remains part of the E.U. Others are concerned about the immigration issue and the effect of the Euro crisis. Others simply argue that that the U.K—which has the fifth-largest economy in the world, is the fourth-greatest military power, is a leading member of the G7, has more Nobel Prizes than any other European country and is one of only five permanent members on the U.N. Security Council—is entitled to greater autonomy to make its own decisions and should not be constrained by politicians who are not elected by U.K. citizens.

“After all,” say those in favor of an “out” vote, “isn’t the current safety and prosperity enjoyed by the U.S., Australia, India, Canada and others founded on the principles of democratic self-government created by those who were once prepared to take matters into their own hands?”

Luckily, even with an “out” vote, the exiting process won’t happen overnight. There will be processes to follow, some of which could take years. It’ll give plenty of time for insurers and intermediaries, (not just those in the U.K. or Europe) to think carefully about the consequences on their businesses, the economy and their customers.

Here are some issues that would have to be considered:

  • As London reduces its influence and there is a brain drain, where might the power shift to, physically, and will some of the big broking houses move house (again)? Where will the new powerhouse occur? Singapore or Shanghai?
  • If there are new trade tariffs, how will this affect the flow of global business? According to U.K. government data, in 2011, the U.S. exported $3.5 billion of insurance services to the E.U.—that’s nearly $1 in every $4 in global insurance services exports.
  • How might an economic squeeze in the U.K. over the next decade affect consumer behavior in terms of buying both property and life insurance, and will this lead to further consolidation of an already saturated marketplace?

There is a basic insurance principle used to establish negligence that dates back more than 100 years. It refers to the “man on the Clapham Omnibus,” a hypothetical character epitomizing the “common man,” who is described as reasonably educated and intelligent but nondescript and against which a defendant’s conduct is measured.

So, on June 23, 2016, everyone in the U.K. over the age of 18 will get to vote regardless of their expertise on the topic. On that day. it will not just be a matter for the entire U.K. population but for the “man on the Clapham Omnibus.” At this moment, we can only speculate whether his head will rule his heart, or vice versa.