General Data Protection Regulation (GDPR) is no excuse for obstructing vulnerable protection customers from accessing added value services.
This is according to protection industry veteran and Morgan Ash chairman Johnny Timpson (pictured), who highlighted difficulties some customers can face in getting support.
Timpson was speaking at the launch of the Chartered Insurance Institute’s (CII) guide to data privacy for customers in vulnerable circumstances this morning.
The guidance aims to support insurance and personal finance firms in managing data relating to customers in vulnerable circumstances.
The Data Privacy for Customers in Vulnerable Circumstances guide clarifies in practical terms how customer vulnerability-related data can be managed in compliance with UK data protection requirements and the Financial Conduct Authority’s (FCA) Consumer Duty.
It contains three distinct and interconnected purposes for processing vulnerability data. These are:
- providing appropriate support and to prevent harm,
- meeting reporting requirements,
- driving product and service improvements.
Added value services
Discussing key situations for the health and protection industry in particular, Timpson pointed to the example where customers face barriers to accessing additional services.
“In the protection industry insurers have these additional value services, that might be grief counselling or it could be some other form of specialist support or physiotherapy,” Timpson said.
“Those are non-contractual services being provided by that product provider, but invariably, you don’t necessarily need to be the policyholder to claim those benefits.
“However, if someone is trying to access those benefits, the insurer will say ‘you have to contact the added value service provider directly, we can’t automatically introduce you’.”
According to Timpson in these instances where a customer is vulnerable these barriers should not exist.
“Just do the right thing,” he continued.
“Ask yourself the question: If that was you or a member of your family, what response would you like to that question.”
GDPR is no barrier
Therefore, Timpson called on insurers to join the FCA and the Information Commissioner’s Office (ICO) in dispelling the myth that GDPR gets in the way of doing the right thing.
“With the very welcome March 27 FCA and ICO joint statement clarifying once and for all that data protection laws are not, and should not, be a barrier to identifying and sharing vulnerability data plus proactively signposting in our industry and profession,” he said.
Timpson maintained that GDPR should be seen as a facilitator to accessing insurance.
“It’s known, standard and understood,” he continued.
“What is more challenging for firms is how to manage vulnerability data and hence the value in this guidance.
“Particularly as the FCA keeps rightly saying, we need good data to be able to identify the outcomes for vulnerable customers – and simplistically this needs consistent data that can be collated into management information, so firms can see if a particular cohort of vulnerable customers are receiving good outcomes or not.”
Building trust
Timpson, who contributed to the development of the guidance, revealed that it not only takes into account GDPR, but also Consumer Duty.
“It’s focusing on not just about what lawful basis we can use for GDPR but also what will build trust with our customers,” he said.
And this played into the rationale for proposing explicit consent as a key recommendation in the guidance.
“It not only is the best option proposed by my team at Morgan Ash and myself, but is also in line with building transparency and trust with our customers,” he continued.
“Trying to use some other lawful basis that does not engage with the consumer – i.e. holding data without telling the consumer – is not in line with building trust.
“And as we all know, trust is hard to build and so easy to destroy. Hence, we need explicit consent, and systems to store the data securely.”