With the May 2018 deadline for GDPR implementation fast approaching, we will see a mad rush among organisations to get ready.
Most visible will be the push to get or renew consent from consumers. If you are a retailer, there is little reason to keep hold of personal data after a transaction, but consent will allow you to stay in touch.
For other companies, such as insurers, the situation is subtly different. They need to be able to process personal data simply to service the contractual obligation. For cases like this GDPR has defined five other ‘lawful bases’ that can be used as appropriate:
- for the performance of a contract;
- for compliance with a legal obligation;
- to protect the vital interests of a data subject or another person;
- for the performance of a task carried out in the public interest’; or
- for the purposes of legitimate interests pursued by the controller.
The opportunity to choose your lawful basis
Organisations need to disclose which of the six bases (including consent) is being used, but there is no hierarchy defined between them. This means that if two bases both fit a particular use and processing of personal data you have a genuine choice which one to use.
This is important because the last basis is the seemingly very broadly defined ‘legitimate interest‘.
Case law and GDPR guidance will no doubt develop on what are acceptable activities to place under this banner. The current guidance is limited but it does indicate that most forms of direct marketing could be justified as a legitimate interest. Furthermore, if you have an ongoing relationship with customers the guidance says that this should also help you to argue a ‘legitimate interest’. At least, as long as you contact them to discuss ‘similar services’.
This should suit insurers who manage a lot of ongoing relationships. There seems to be a genuine option for them to use ‘legitimate interest’ instead of ‘consent’ for their marketing and sales activities towards existing customers.
This could have significant advantages. Legitimate interest would be much less costly to operate than ‘consent’ and is less complicated and therefore less risky. It would also not require a customer response, which is an important drawback of using ‘consent’.
A drawback of using consent
The success of GDPR consent gathering campaigns is uncertain, not least because in the run-up to May we can expect considerable consumer apathy developing against these tick-box exercises. Life insurers and pension providers will face the additional challenge that for material parts of their customer base the email addresses are missing and postal addresses may be out of date. This is a well-known problem due to our forgetfulness in letting our insurers know when we move house.
While GDPR does not force you to track down customers, it does require consent to be explicit. Therefore, if you don’t hear back this is the same as having no consent.
Imagine that you wanted to contact a valuable customer about consolidating her different pensions with other providers into one product on your pension platform? If you asked for consent to have these type of conversations in an email but didn’t receive a reply, you may have just shot yourself in the foot and forfeited the right to make a call. On the other hand, the competitor who holds the other pension had no problem because he never asked for consent and instead disclosed a ‘legitimate interest’ to have the same conversation.
How big a problem this will be is for insurers to assess based on their own portfolios, but this highlights a potential flip-side of consent in which consumers lose out as well.
Why insurers should consider a mixed approach
There is a risk that use of a self-certified ‘legitimate interest’ is seen as an attempt to deploy a ‘get out of jail card’ for GDPR compliance. This is definitely not the case. To use it you need to conduct and document a so-called Legitimate Interest Assessment (LIA) which needs to lead to the genuine conclusion that for the particular use of personal data ‘your interests are not overridden by the interests or fundamental rights and freedoms of the data subject’. This is not an exercise to be taken lightly and with the potential brand risk and penalties that are attached to GDPR it seems unlikely that anyone would.
This does not take away from the reality that preparations for GDPR are well underway and there is significant pressure to use ‘consent’ to be in line with a market norm. There is also the rise of consent management apps which allow customers to centralise and be ‘in control’ of their privacy settings. Whatever the ultimate popularity of these apps, companies will be forced to invest in linking to them.
It will require some bravery to use ‘legitimate interest’. However, it seems to me that insurers should at least explore the feasibility of this option, if not for all customers and all processing of data then at least in a mixed approach for selected segments. There will be cases where this saves considerable cost and effort in chasing consent and it can help to avoid any unintended consequences for good customer service.
As highlighted by the UK Information Commissioner Elizabeth Denham in a recent blog: ‘consent is not the silver bullet for GDPR compliance‘.
Disclaimer: This article is based on a personal reading of GDPR legislation. Please seek legal advice before taking any action.
If you have any comments or wish to discuss, please contact Michel.