DST Systems says there are opportunities in GDPR. Insurance Times spoke to DST Applied Analytics managing director Ruaraidh Thomas to find out why.

How prepared do you think the industry is for GDPR?


If it was a spectrum it would be fairly broad. I think there are companies coming into it later than others. There are two ways people have approached GDPR.

Some have seen it as a strategic opportunity to say: ‘let’s review how we’re doing what we’re doing’.

And that can be in quite small elements or it can be as a broad brush.

There are others that have got so many things on that they might have considered this slightly later.

So they are trying to make sure that they are getting up to speed and up to scratch.

I think it is also dependent on their model in the context that if we are talking about brokers, insurers and underwriters.

They all use data in different ways.

There is a real broad brush.

Across sectors, the average investment in GDPR is around £1.2m, according to a recent DataIQ survey.

Companies have put a lot into it, but it is going to be quite varied.

Does GDPR pose any opportunities for the insurance sector and businesses in general?

GDPR to me is about making sure that you know what data you hold and any PII information that you hold.

It is really just a modernisation of the current data protection act (1998). In that time we’ve had mobile, internet.

It is probably an overdue modernisation. A lot of the key principles are quite similar.

What has really grabbed people’s attention is the nature of the fines and the regulatory picture that varies from the current data protection act.

As a result of that, people have had to invest. All of this has come with a cost.

For those people who are already quite organised it will be less burdensome, but for those people who have had to introduce a more official line and employ a data protection officer and more provenance and reporting standards, it will have been an investment.,

Businesses have websites, CRM systems, data warehouses. Insurers have risk profiling.

You need to join that all together in order to answer the question that they will have to answer on the 26th May, when I ring them up and say: ‘what have you got on me?’

It is a cost right now, but also a much bigger opportunity to be able to say: ‘actually, I know quite a lot about Ruaraidh and I can now give Ruaraidh a much better service if I can now engage with him in the way that he might like to be engaged’, or not as the case may be.

In addition, through all this spring cleaning there are a lot of business cases and justifications being made for investment in newer approaches.

Not just in technology, but in working practices, that allow people to be more agile in how they look after their end customers and prospects.

The main point is: if you’re going to spend this money to get compliant, why not use it to your advantage?

You are not only ticking the box for GDPR, you will also be ticking the box for better customer engagement and customer experience.

For example, there’s been a lot of work done on re-writing privacy notices so they are more engaging, so that people won’t just opt out.

There is a lot you can do with copy to help customers understand that you are going to look after their data.

Are there any insurer worries about firms they insure being up to scratch?

I think one of the things about insurance in the context of insuring businesses would be that there would be an element of seeking to ensure that, in the same way as a business has to satisfy compliance in other areas, this would now become equally as important.

The effect of a large fine on the financials of a business would potentially make that business not viable.

How well is the Information Commissioner’s Office (ICO) doing in preparing businesses for GDPR?

Whatever stage you are at, I have found the ICO to be very pragmatic.

They’ve got a big challenge themselves in that they have got to be resourced in order to manage this on behalf of all of us.

I think they are up against it in some respects, as are others.

I think they are being as clear as they can. There is a natural view that might say they should be communicating or educating us all more on this, but as I say that’s equally the responsibility of businesses.

I think they are doing a pretty reasonable job.

If you are worried about it, they are open to talk to you and guide you through the things they want to see happening. So the big thing is: don’t be worried about it, but don’t put your head in the sand either.

What advice would you give to a firm that does not think it is going to be ready?

To make sure you have a plan that says you have at least got a pathway towards becoming compliant.

It is not just about becoming compliant, it is about staying compliant.

For many businesses it is a business change, a cultural change.

But it is about being compliant and making that ongoing. It is not just about getting over the line on May 26th.