How much data does an insurer need to collect about its customers in order to deliver its products and services? It’s an issue that needs addressing, for many insurers could be working under some questionable assumptions. Many a digital strategy could need rewriting.
This is a question that sits in the middle of a developing storm. On the one hand, consumers have enjoyed many facets of the digital revolution, but continue to have privacy concerns stemming from way in which firms process large amounts of their personal data. These privacy concerns became encapsulated, to a large but not complete extent, in Europe’s General Data Protection Regulation (GDPR).
On the other hand, insurers have been building their business models around ever greater levels of personalisation, in order to individualise their marketing, underwriting and claims. The mindset has been that if a piece of data yields any risk or fraud related insight, then insurers must have access to it.
Insurers clearly didn’t abandon those business models when the GDPR came into force. That was because they felt they had a legitimate interest to process all that personal data, on the basis of those real and potential risk and fraud related insights.
Yet the GDPR also sets requirements on data minimisation. Firms have to ensure that any personal data they use is adequate, relevant and limited to what is necessary for the purposes for which it is processed.
Insurers' Digital Construct
The sector has developed what might be called its ‘digital construct’. Insurers’ ‘risk related’ argument gave them a legitimate interest in processing our lifestyle data and together with the insurance contract, gave them an apparent ‘get out of data minimisation’ card. In essence, their minimum is very wide, because they need to know where any risk and fraud is coming from.
The pricing review could fatally undermine that argument. It is exposing the extent to which insurers have been processing significant use of data for non-risk (or fraud) related purposes. This has primarily been to find out a customer’s ‘willingness to pay’ and using this in the setting of the quoted premium. So insurers may be collecting your shopping, travel and social media data purportedly for risk and fraud reasons, but they are in fact now using it largely for the setting of competitive prices. No other sector is given that sort of leeway.
Open to Challenge?
Does this leave the sector open to a challenge, on data protection grounds, of the legitimate interest they’ve been building their digital strategies around? I’m no lawyer, but to others on the ‘Clapham omnibus’ like me, there are privacy concerns here that need addressing.
It looks like the Citizens Advice super-complaint has opened up an ethical can of worms. Has it lifted the lid on the sector’s dominant pricing paradigm and found it to be questionable not just on the grounds of fairness and discrimination, but now privacy as well? And could that privacy question turn out for the sector to be the most dangerous of them all, given the penalties permitted under GDPR?
Given that the pricing super complaint was obvious for about a year before it was delivered, are insurers doing enough to weigh up these further challenges, to respond to the warning signs that even a cursory scan of the data ethics landscape will identify? Some insurers may have felt that their digital pricing techniques were taking them onto a competitive superhighway. They may turn out to be driving the sector off a cliff.