The Covid-19 pandemic has changed the way we live and work, invading nearly every facet of our daily life and accelerating the adoption of digital technologies within every organization. With customers getting more and more digital and generating an exponential volume of data, it further drove the need of strong information governance and data management within the insurance industry.
Customer data privacy and security emerged not only as a complex and challenging compliance requirement for the insurance industry, but also as a potential source of competitive advantage. With better mining of existing information and the ability to take advantage of non-traditional sources and uses of IoT data--advanced voice, image, text and emotion analytics, artificial intelligence, behavioral intelligence—insurers have new ways of interacting with customers using digital means while protecting privacy of the users. This has helped insurers attract more customers with improved and personalized engagements and drive more revenue by building trusted and long-term relationships with their customers.
Until now, insurers data privacy efforts revolved around specific privacy-related regulations for their industry with narrowly focused initiatives designed to satisfy those requirements. Today, this one-off approach to data privacy is no longer good enough. There has been no compelling reason for insurance companies to embed privacy considerations deeply into their larger business strategies until a recent series of high-profile data breaches brought the shortcomings of specific privacy-related data protection to light.
Some insurers have been slow to adopt the new compliance measures while others hid their heads in the sand and ignored them, believing they could outsmart regulators with partial compliance. Without a comprehensive and effective information governance program, data privacy remains a compliance challenge and a potential reputation time bomb for the insurance industry.
In a recent Deloitte survey, only 25% of respondents said they are willing to provide an iris scan or fingerprint to start their car and prevent theft. The acceptance rate rose to 38% when respondents were asked about their willingness to provide physical condition information, such as respiration, heart rate, or blood alcohol level. This suggests that many consumers consider health monitoring an acceptable personal safety feature.
According to the Deloitte assessment report, the greatest causes of privacy concern include location, sentiments and feelings, personal communications, associations closely followed by usage behavior and actions, and insurance company selling customer’s personal health data to third parties. As consumers are becoming more concerned about businesses collecting, using, or selling personal information without permission, many regulators around the world are taking unprecedented interest in privacy by establishing new, more rigorous, and effective data privacy policies and regulations to safeguard their customers.
Insurance companies need more awareness and control over the data they process and share. An underwriter, regardless of the type of insurance, will invariably collect and review customers personal data ranging from demographics to more sensitive data including health history, genetic history, and physiological traits for risk assessment and processing. For example, biometric data from facial recognition software or wearables, IoT data for UBI can be cross referenced with social media posts. Pictures of sky diving and adventure sports can be used to create a loan applicants’ risk profile.
Regulators from New York recently allowed insurers usage of social media posts and pictures as well as non-traditional data sources to determine premium charges, provided they do not unfairly discriminate based on race, gender, sexual orientation, caste, or color or make any inferences of intrusive nature.
GDPR tags this data as “special categories of data” to be collected based on individuals’ explicit consent (Art. 9), and any misprocessing will attract heavy fines.
Under GDPR, the use of direct marketing to find new customers requires positive opt-in by individuals, stating their consent and preferences on whether and how they want to be contacted. GDPR offers individuals the right to object (Art. 21) to personal data processing or withdraw consent when it relates to direct marketing. GDPR mandates personal data be retained only as long it is necessary for the purpose it was collected, however, it does allow storage for longer periods when the personal data will be processed solely for archiving purposes in the public interest, such as scientific, historical, or statistical research purposes, using additional technical safeguards such as pseudonymization. The data must be deleted or anonymized post its use.
Another central challenge for insurance companies operating internationally is the nature of regulations. Privacy requirements are very different from one jurisdiction or market to another. It’s understood that each data privacy law has different rules and regulations, so depending on where an insurer operates, they may have differing standards that must be met. Staying compliant with data privacy laws will pay dividends for both insurers and their clients.
Right now, compliance is simply the cost of doing business for the insurers but the question they have is how to align compliance with their business roadmaps and turn privacy into a business driver.
Once the datacentric approach put forward by GDPR is grasped, it can help insurers establish a stronghold for personal data enabling more efficient business decisions, improving operational efficacy, creating greater credibility with customers and employees, reducing the threat landscape, and enhancing brand value.
With only a small number of insurers offering cyber insurance today, this is another area where insurers can score big with products and services that help avoid, mitigate, or transfer the risk of cyber perpetrated breaches and attacks. It can be a win-win situation if insurers with holistic cyber risk management offerings are able to help their customers reduce their cyber risk profiles.
Insurance companies can also improve the accuracy, quality control, and relevance of both in-house and third-party data by establishing a more comprehensive privacy governance framework leading to trust and operational efficiency. Equipped with the new data science techniques and strategic approaches to protect sensitive information, insurance companies can make positive use of new data sources. This will make them better prepared to effectively manage data privacy in an increasingly digital world, to serve their customer more effectively with tailored offerings, new services, better pricing, and reduced time to service delivery. Insurers that focus on building a strong privacy program today and seizing all available opportunities to win customer trust will gain competitive advantage and stand out from the competition.
Learn more about how TCS Customer Intelligence & Insights™ for insurance can help your organization build strong privacy programs and create competitive advantage. Click here.