Standfirst: The post-Brexit regulatory landscape is complex for insurers, but they can achieve compliance and improve their customers’ experience by paying attention to data security and being transparent in their digital interactions, writes Katherine Peaker, Head of Octal Business Solutions.
Now that the UK and the EU have reached an agreement on their future economic partnership, insurers need to get to grips with the implications for their marketing communications. Those operating across multiple geographies in the post-Brexit environment need to work to the new outbound communications regulations, including the UK’s Data Protection Act (DPA) and the EU’s Privacy Directive and General Data Protection Regulation (GDPR).
This is because the UK’s DPA of 2018(1), adopted the statutes of the GDPR, effectively passing EU privacy regulations into UK law. In this way, the UK ensured that its citizens would be protected by the same privacy regulations as EU citizens after Brexit. In some areas, DPA 2018 is even more specific than the GDPR.
So insurers must comply with the DPA (incorporating the GDPR) for their marketing activities in the UK, and with the GDPR as well as other local regulations for marketing activities in the EU.
The challenge for insurers
Insurers need to use many different customer data sets for their communications and to communicate with customers in multiple countries. They’re rightly concerned about how they will remain compliant in this highly complex new environment, without having to carry out onerous manual checks that would limit their ability to conduct business effectively.
The question they are asking is: how can they navigate this new environment and run marketing campaigns effectively while respecting different territories’ privacy requirements?
They need to find the answer to that question, because the risks of non-compliance are becoming more severe. Fines for non-compliance with the GDPR in Europe rose 39% in 2020, to £138m(2).
The Swiss example
Switzerland is an example of the complexity created for direct email marketers by EU and individual country regulations. In Switzerland (and some other EU countries), sending unsolicited mass direct marketing emails is only allowed if recipients have provided their prior consent. This consent doesn’t necessarily have to be in writing. However, it’s not permissible to obtain consent by sending out unsolicited mass emails asking for it.
The Swiss Unfair Competition Act requires businesses doing direct marketing to consult the official phone directories for numbers that have been marked with a standardised telemarketing opt-out declaration, unless someone has otherwise consented to receive email marketing or has a customer relationship.
To add further complexity to the exercise, in Switzerland customers and prospects speak four different languages. This makes keeping track of their language variations, and adding the correct privacy notices, difficult.
Case law in the UK
In the UK, according to case law under the old Data Protection Act (DPA) of 1998(3), email marketing is admissible only with the intended recipients’ prior express consent.
It has since been ruled that sending unsolicited emails to unknown recipients using addresses indiscriminately collected on the internet (by using a web crawler, for instance) violates the old DPA, regardless of whether such emails provide for an opt-out.
Ensuring data security in the e-commerce customer journey
Ensuring that your platform strikes the right balance between experience and security when it counts is paramount in gaining your customers’ trust and being compliant.
For example, it is important as part of the cart abandonment recovery process to build security into the customer experience by adding effective measures to prevent data breaches and risks.
Compliant data gathering and enrichment
You should establish a lawful basis for processing personal data in line with the GDPR’s “lawfulness, fairness and transparency” principle. Establishing a partnership with your solution provider’s data privacy team will allow for strong governance mechanisms to support secure customer journeys that comply with all regulatory requirements.
Two areas to focus on are:
- Establishing if there is a legitimate interest
- Gaining customer consent by obtaining permission for something to happen or agreement to do something.
Meeting the regulatory challenge
Creating engaging digital customer experiences and using data effectively are essential for commercial success in response to new customer behaviour and digital entrants. But it’s just as important for insurers to balance customer experience and engaging features with regulatory compliance.
Data security, asking permission when gathering data or contacting customers, transparency and fairness are the new watchwords to ensure GDPR compliance in the post-Brexit landscape.
Contact us
To learn more about Capita’s market-leading expertise and capabilities in cart abandonment recovery, outbound marketing tools and e-commerce solutions, and the tangible benefits it can deliver for your business, contact Business Development Manager, Nathan Robinson on 07730 001065, or at Nathan.Robinson2@capita.com, or contact your account manager today.
Gabriel Swift
Account Based Marketing, Capita
Gabriel specialises in Account Based Marketing, With over 25 years’ experience working in IT organisations, Gabriel is passionate about innovation, creative thinking and enabling and supporting Senior Sales stakeholders in achieving their goals.