While the proliferation of data affords clear opportunities, insurers face impediments in realizing the value of their data, as well as heightened scrutiny from policymakers, regulators
consumers. Some customers are reluctant to trust insurers with their information, and evolving privacy regulations and norms impose constraints on data use.
General Data Protection Regulation
In May 2018, the General Data Protection Regulation (GDPR) came into effect across the European Union (EU). This regulation codifies and enshrines new consumer rights and organizational responsibilities, focusing boardroom attention on compliance and readiness. While GDPR applies only to firms that collect personal data on EU residents, it may represent the leading edge of privacy regulation globally. Advocates and critics of GDPR agree that the privacy and data protection principles from which it is derived enjoy broad social acceptance.
US privacy regulations
In the US, insurers face privacy regulations at both federal and state levels. The Federal Trade Commission enforces fair-trade practices in privacy and data use, and different federal laws and regulations govern the use of specific types of data. For example, the US Chamber of Commerce is calling for Congress to adopt a federal privacy framework, and the Business Roundtable released a framework for a national consumer-privacy law, urging lawmakers to pass privacy legislation in 2019. Large technology firms, even those that opposed privacy laws in the past, have also been lobbying for federal privacy legislation.
Privacy regulations constrain organizations’ ability to use data by limiting what they can collect, how they can use it and how long they can retain it. Compliance requires significant investments of money and time that limit firms’ abilities to address strategic questions.
Maintaining consumer trust
A poll conducted in April 2018 found that only 20% of US consumers fully trust large companies to protect their information, while 73% believe that companies put profit ahead of their responsibility to protect consumers’ information. The consequences of this lack of trust are significant. To maintain trust, insurers are communicating more clearly to customers what data a firm collects and how it uses that data. Research and business experience show that privacy is a deeply personal concept that is significantly dependent on context. Regulation, by contrast, often treats privacy as a cognitive issue, regarding consumers as rational actors deciding when and how to barter access to their information.