Give me back my data: what insurers can expect from GDPR

A new data protection regulation which comes into force from May 25 in Europe will offer customers more insight into insurers’ decisions with regards to pricing and claims payments, increasing the likelihood of disputes while facilitating the switch to a different provider, as Intelligent Insurer discovers.

While penalties for the infringement of the European Union’s General Data Protection Regulation (GDPR) of up to 4 percent of a company’s worldwide annual turnover have dominated discussions, the new rules are also expected to have a broader impact on insurance operations including pricing, claims handling, research and development and underwriting.

GDPR regulates the collection, storage, processing, access, use, transfer and erasure of personal data. It will establish responsibilities for the "controllers" and "processors" of personal data.

Insurers process and retain a significant amount of personal data when selling policies and handling claims. These datasets may grow even further as insurers develop new products to take advantage of the internet of things, big data, artificial intelligence and automation.

GDPR disrupts automated processes

Insurance innovation is likely to be constrained by GDPR as the regulation strengthens the position of the owner of the personal data used in the development. Due to GDPR, data owners will be able to question the insurers’ internal processes and decisions taken based on this data, CEO of consultancy firm Fifth Step Darren Wray, suggests.

As part of the new regulation, the insured will, for example, retain a right to obtain human intervention to explain the rationale for decisions taken by automated processes.

“There is a high degree of upset if a claim is refused or the settlement isn’t as high as the insured would expect and it cost them nothing to complain and raise a request,” Wray says.

But at the same time, “it can cost the insurance company quite a lot if it is a very complex case and they need to have many people reviewing the case,” he adds.

Insurers will need to have trained staff in place who are able to process cases manually or assess a case that has been queried by an individual. Firms will need to be able to explain and provide complete transparency about what the inner workings are of their artificial intelligence (AI) solution or their machine learning solution or their algorithm, Wray explains.

A high degree of transparency should allow a human case worker to be able to review the output from a certain decision and explain to the customer why they have been rejected for cover, for example, because of a history of hard breaking gathered from telematics data or, why a policy has been priced at a certain level, for example because the customer lives in an area of high crime rate.

Empowering staff to explain certain decisions to customers may become even more complicated when it comes to true machine learning based on a large dataset and AI, Wray notes.

In order to be able to comply, insurers applying algorithmic or machine learning technology taking decisions need to ensure that there is a form of logging that documents the reasons and rationales and the path that the algorithm took, Wray explains.

“It will be important for organisations to be able to document, demonstrate, prove and have people who are skilled enough to be able to answer the questions and perform a query and an assessment of a particular case for a particular decision,” Wray notes. This is expected to particularly apply to claims handling due to the opportunities AI and machine learning offers in this field, but pricing is another obvious area, Wray says.

Ideally the explanation for the decision would be given to the data subjects together with the response in order to avoid complaints, Wray suggests. “They may still ask for a review but it might reduce the number of such requests and save the insurer money,” he explains.

Transparency may create conflicts

Nevertheless, complaints could question the core of the insurers’ pricing decisions. “The additional transparency may raise concerns of acts of discrimination over age or gender,” Wray says.

Insurers will have to prepare for a higher level of scrutiny over its internal decision processes than in the past.

“Insurers will have to ensure that they are compliant with laws that in the past they may not have been exposed to because outside of the organisation there wasn’t an appreciation of the mechanism of calculating the policy,” Wray says.

If a decision is based on a very clear age constraint or age decision, customers may make a claim against the insurer for age discrimination. They might claim that the decision was based on a deliberate bias or an implied bias through the use of datasets that are not diverse enough, Wray explains. This can trigger complaints over gender, race or other kinds of discrimination, he notes.

Easy switch for customers

The GDPR is also expected to make it easier for insurance customers to shop around for the most attractive offers because clients will be able to take their personal dataset with them, Wray notes. This is likely to particularly affect the personal lines insurance segment, he notes.

So far, a change of the motor insurer involves a time-consuming keying of data. In future, a data portability request will result in the downloading of a file which can be uploaded to a different carrier’s website or a comparison website and the individual attains an alternative offer, Wray explains.

Such a development is likely to also spread to other lines of business. “I don’t think it is going to take long before similar services are being offered for B2B type of business that involves individuals,” Wray says.

He points to directors’ and officers’ liability as an example, where details of the individuals involved may in future be downloaded and greatly reduce the amount of data that needs to be keyed in to request an offer from an alternative provider. “It speeds up the process and reduces the friction for changing accounts or changing providers,” Wray says.

Inquiries from customers are likely to be substantial. Two in five (40 per cent) of UK consumers are already planning to request personal information within six months of GDPR coming into force, according to a study commissioned by data management firm Veritas.

Consumers are most likely to request data from the financial services companies, including banks and insurance companies (56 per cent), the study that surveyed 3,000 people shows.

Among the key drivers for consumers exercising their data privacy rights are an increased control over personal data. Over half (56 per cent) of respondents don’t feel comfortable having personal data sit on systems that they have no control over.

In addition, consumers are interested in gaining a clearer understanding of what data companies hold on them. The survey shows that 56 per cent of participants of the study want to better understand exactly what personal information companies hold on them.

Some companies may struggle to respond promptly to such personal data request. Under the new GDPR, personal data requests will need to be answered by organisations within a one-month time limit.

“Some organisations have legacy systems and can’t necessarily update them to be able to extract the data,” Wray says. “Some will struggle to comply due to historical underinvestment in their IT and infrastructure,” he adds.

Companies have to provide all the personal data that they hold and process on an individual which includes names, addresses, or number plates because they can identify the owner, and it may also include opinions that the insurer has expressed about the individual, Wray explained.

Preparing data for R&D

If insurers want to continue using personal data to develop new products using AI or big data, they need to ask the individuals for consent in contractual terms that their personal data will be used for the development of new insurance products. An alternative would be to anonymise the personal data.

“Unless you would need to identify the specific individuals you use the anonymised information in order to create the new product and prove that there is a marketplace for the it,” Wray says.

Anonymizing data means taking away as much personal information so that an individual can no longer be identified. An actuary may need to know that the individual is a male aged 37 living in a particular area but not necessarily their full name, the exact birthdate or address, Wray explains.

The name can be replaced by another one of the same gender and while the year of birth is kept, the exact date can also be changed. These anonymised datasets can then be used as the basis for an insurer’s AI and other big data programmes and will allow actuaries to have the information required to interpret the statistical information to infer probabilities, Wray explains.

Data breaches remain a major threat

Brokers across the UK have identified data breaches as the single largest threat to insurers and their clients in view of GDPR.

Almost nine in 10 (88 per cent) of brokers saw data breaches as a key risk to their customers in 2018, according to the 2018 Q1 Broker Pulse survey, published by insurance and risk law firm BLM.

“Having recently seen Under Armour and its MyFitnessPal app users subjected to the third largest data breach in history, these findings back the view that data security poses an unparalleled financial risk for businesses in the digital age,” BLM partner and head of the firm’s broker sector Helen Devery, commented the survey.

“Indeed, whilst the investigation into Cambridge Analytica’s use of Facebook data will encourage more prudent data sharing in future, this is a real time issue, and businesses are facing greater pressures than ever before to keep their customers’ data safe,” Devery said.

Data breaches can be costly. Insurers are required to assess the breach, protect the data, inform the regulators and the affected customers in a timely manner. In addition to a penalty which can be up to €20 million or up to 4 percent of the worldwide annual turnover, whichever is higher, the insurer may face lawsuits from individuals for misuse of personal data.

“Hundreds of thousands of individuals may start to think that there is a potential payday here,” Wray says.

Customers may claim for damages of pain and suffering on the breach and the loss of data having had to change their credit card information, or because they are receiving 50 percent more spam in their email accounts than before the breach, Wray explains.

He believes that claims management firms will become active in cases of data breaches and push customers to claim damages in a similar way as they did with the mis-selling of payment protection insurance (PPI) in the UK. The agencies reportedly pocketed £5 billion by taking a cut of compensation claimed on behalf of consumers.

“Those kinds of scenarios will become very real, particularly when they are going to be pursued by the PPI claims manager type of mentality,” Wray says.

“Data misuse can be wide and varied. Organisations have to make sure that they are prepared for the consequences both from an information commissioner’s perspective but also the potential for individuals to take their own action,” Wray warns.