Consent seems to have been largely taken for granted by the insurance sector. Cover came with automatic terms and conditions relating to what the insurer could do with your personal data. If you didn’t agree, then you weren’t offered cover.
While the UK insurance market was crowded and competitive, it also showed considerable conformity on such terms. Insurers didn’t compete on declaration wordings. The information asymmetry between underwriter and policyholder meant that this conformity was all too often accepted as the norm.
Move forward to the immediate future and a changing landscape for personal data. The loss of utmost good faith in personal insurances, the rise of social media, advances in data processing and the interest in telematics devices has lead insurers to invest heavily in the acquisition of new data sources for underwriting insight. Putting those new sources to effective use is seen as a vital source of competitive advantage.
There’s a danger that this rush to harness and exploit ‘big data’ will cause insurers to pay lip service to the policyholder’s wishes for how their personal data can be used. That historic ‘take it or leave it’ approach to policyholders’ personal data may be rather too ingrained. ‘Danger’ is no overstatement, for coming over the compliance horizon at just the same time is a new set of EU regulations on data protection.
These regulations will only allow insurers to process their policyholders’ personal data in ways for which explicit consent has been given. This is an exacting standard, for it requires the policyholder to not only understand what is going to be done with their data, but also understand the implications for them of having their personal data processed in that way.
So what should insurers do? It’s worth starting with a quick look back at some lessons from the not too distant past. Insurers involvement in referral fees arrangements left policyholders who understood what was happening with a sense of having their personal data exploited well beyond the bounds of acceptable practice. The debacle of payment protection insurance may have been largely the responsibility of banks, but if the recent fines for providers of card protection insurance (for inadequate consent procedures) are anything to go by, some insurers have also been playing similar tricks on their policyholders.
Looking forward, here are examples of how some insurance functions should start thinking about consent.
At the product design stage of an insurance offering, insurers and brokers need to look closely at the way in which add-on extras are aligned and presented. The automatic opting in of policyholders needs to be closely scrutinised from a number of angles. The profitability of such add-ons may tempt the provider to be over optimistic in such reviews, so input from a critical friend could be useful counter balance.
Claims directors should create an information trail of incoming and outgoing personal data and ensure consent is treated consistently and appropriately across it. If they haven’t already done this following the questions raised about referral fees, then now’s the time to get started.
Sales directors need to look at the scripts used by their front line teams and ensure that explicit consent markers are properly integrated into dialogue with the customer and into how the permissions gained are processed going forward.
Marketing directors need to look at any sources of external data bought in by their firm and check the consent markers attached to such data. The ways in which that data is then utilised within the firm needs to respect those permissions. If consent markers are not obvious, then questions need to be asked about using that data in the first place.
The internal audit and compliance teams need to build up a detailed understanding of explicit consent and review established practices from others sectors and professions. Given the sector’s relatively ingrained views about personal data and consent, this detailed understanding will help deliver the level of assessment and challenge needed to ensure explicit consent is appropriately upheld.
And finally, HR departments need to develop a map of consent points across their firm and use it to deliver a training programme that embeds new thinking on consent where it is needed most.
That mapping of consent points across a firm’s operations is important, for it allows a firm to address consent consistently both now and in the future, and remain proactive to changes (both regulatory and reputational) going forward.