Could GDPR Transform The Insurance Industry?

By Kaijia Gu

This article first appeared on BRINK News on 24 May 2018.

On 25 May, we cross the long-awaited threshold of the General Data Protection Regulation (GDPR). The door to the new regulatory era is finally open. Revised laws protect and empower European Union citizens’ data privacy, and consumers can take ownership and control of how their personal data is used and shared. For most organizations, this will be a radical shake-up across the region of how they approach data privacy—with sizeable financial and reputational consequences.

Until now, GDPR discussions have largely focused on compliance requirements. As a risk-conscious sector, most large insurers and wider financial services firms have been diligently carrying out GDPR readiness programs, ensuring all compliance “boxes” have been firmly ticked. For some, GDPR is simply a hugely expensive compliance exercise.

Yet, treating GDPR as merely a governance issue would not only miss potentially significant strategic opportunities, but also pose a threat should someone else get there better and faster.


With data no longer “walled in” by incumbents, organizations will need to apply fresh thinking to how they differentiate themselves to seize a competitive advantage

Leveling the Playing Field

GDPR gives ownership and control of data usage back to customers; large companies that capture and use consumer data can no longer claim this data as their own asset. Crucially, at a customer’s request, organizations need to allow data to be transferred to any third party.

This will lead to a dramatic leveling of the playing field between incumbents and new entrants. Until now, the gap in “data assets” and the insights they generate has been a barrier to entry for all large insurers. But post-GDPR, large incumbents will no longer have a monopoly on consumer data and will need to defend their market positions with different competitive advantages.

On the other hand, this is great news to new entrants, especially to ambitious and nimble InsurTech startups, for which data previously was difficult and expensive to acquire. The innovative business models of the future will no doubt combine profound data insights with seamless user experience, smart recommendation and advisory capabilities empowered by artificial intelligence, and other value-added services.

Transforming Policy Renewals

Currently, most insurers tend to make money only when customers renew their policies. For many years, insurers have relied on lengthy quotation forms and clunky comparison processes to deter customers from taking their business elsewhere. In today’s time-poor world, many customers have stayed with their existing insurer out of sheer convenience.

This accounts for the bulk of insurers’ total profit and reinforces the profit signature cycle of upfront losses compensated for by large renewal profits. Home insurance firms have attempted to change this, but for motor and most other personal and commercial insurance, the process is still very time-consuming and often frustrating.

But what if filling in cumbersome questionnaires could be circumvented with one click?

The One-Click Game-Changer

Post-GDPR, one significant game changer will be the “one-click quote.” This easy lifting of personal data from an existing supplier (with a customer’s consent) poses the major threat of increased attrition levels and massive profit erosion.

With data no longer “walled in” by incumbents, organizations will need to apply fresh thinking to how they differentiate themselves to seize a competitive advantage. For increasingly discerning clients, a smooth customer experience will be regarded as the baseline.

Two notable additional questions will be on the minds of future insurance customers:

1. ‘Is my data safe?’

Oliver Wyman’s Britain’s Digital DNA survey established that consumers’ biggest fear regarding the digital world is the loss of privacy. More than half of those surveyed were worried about sharing personal information online. Future consumers will demand greater transparency in data usage, and GDPR makes it mandatory for companies to provide that.

Since it’s difficult for consumers to understand the technical details and data practices a company employs, a trustworthy brand and the resources to “right the wrong” when necessary are key to being perceived as a likely guardian for data and privacy.

Another important survey insight is that the top three categories of businesses that consumers tend to trust with their data include two insurers: health insurers and motor and home insurers. Combining a trustworthy name with convincing proof of data and privacy protection could give well-established incumbents a competitive advantage over the newer entry players, which are only establishing their reputations.

2. ‘Am I getting value from sharing my data?’

Given the explicit consents required to use and share data, consumers will increasingly realize that their data holds a lot of worth. They will be looking to get more value from sharing their data, be it exceptional service and experiences, personalized products and offers or discounted products and services.

These incentives will become the new currency in exchange for keeping or passing on personal information. In the long run, consumers are more likely to get closer to the “fair value” for their data given the increased competition on a leveling playing field.

Move Beyond Compliance

By the time GDPR comes into play, most organizations will have undertaken thorough data auditing to ensure compliance. However, incumbents shouldn’t stop there. Future success may depend on how well companies understand which data assets are required when building the business of the future. Likewise, they will need to comprehend how to protect existing data assets (so consumers don’t ask for their data to be erased) and obtain those they don’t yet possess.

Insurance is a complex business, and, from May 25 onward, the industry will experience considerable transformation. In the short term, it might feel like not much has changed, as it will take consumers time to understand their rights and the value of their data. Inertia will make this process gradual rather than overnight.

For those who choose to not look ahead and content themselves with simply complying with GDPR, however, the risks of being left behind are very real.