Compliance with the Protection of Personal Information (PoPI) Act is not simply a nice-to-have for South African insurers – it’s an absolute must! The potential of large fines and resultant bad publicity for those who are non-compliant could badly damage insurers’ reputation and share price.
However, complying with PoPI is difficult given the complex spaghetti of administrative, customer, and data systems and software, not to mention manual processes, that many large-scale insurers possess. It must also be remembered that most of a customers’ personal information is stored in policy administration systems and many insurers have multiple instances of such systems. As an extreme example, one large UK composite insurer maintains 27 different short-term insurance core administration systems and 39 core life systems!
Let’s consider five main challenges for complying with PoPI…
THE MULTIPLE LEGACY SYSTEM HEADACHE
As noted above, many insurers have multiple policy administration, CRM and data legacy systems and software. This creates problems for PoPI compliance, as a customer’s data could be fragmented/replicated, and stored in several systems.
Consequently, insurers will need to attach identifiers to all instances of a customer’s data and ensure that the data is only utilised when the customer has given consent, and for the purpose the content was provided. For example, personal data that a life insurance customer has given consent to use cannot automatically be utilised to market householders’ insurance.
Another aspect of the same problem is that insurers must be capable of ‘forgetting’ or deleting a customer’s personal data across all relevant system and ensuring that this data cannot be used. This effectively means deleting or destroying all personal data. Many older systems don’t have a ‘delete client data button’, and thus either special routines will have to be built, or a manual approach taken!
As an example, consider a customer with a number of different policies stored on several systems (a customer could have life, investment, and short-term policies with a single insurer). The insurer must either make these changes manually (expending time and resources), or develop an automated process that deletes all a client’s data across all relevant systems so that when a customer instructs the insurer to ‘forget me’, the request is automatically executed.
IDENTIFYING PERSONAL INFORMATION
Insurers must be able to identify personal information. PoPI, unlike GDPR, clearly specifies what constitutes ‘personal information’. That definition includes the varied nature of the data elements (alpha- numeric characters, text, images, biological material, etc.), and the unstructured nature of some of the data elements (such as images and free text, correspondence, and ‘views or opinions’). Utilising personal information requires the customer’s express consent.
Currently, there aren’t any cookie- specific laws. If cookies or other tracking derived information is eventually deemed personal information, there would need to be reasonable grounds for justification to process this information Personal information relating to children (under the age of 18) and special personal information (including private information relating to religious beliefs, race, trade union membership, health or sex life, biometrics, and criminal offences) are considered ‘sensitive’ and subject to onerous processing obligations.
An important role for the insurer’s information officer will be to determine the rules around defining personal information and being able to articulate that to the rest of the organisation. Regardless, insurers may only store and process personal information when necessary. For example, if a customer takes out household insurance, the insurer doesn’t need to know how many cars s/he drives or how many vacation days s/he takes.
AVOIDING ‘REGULATORY PARADOX’
PoPI clearly requires insurers to reduce the nature and volume of personal information they hold and retain in their systems and software, in order to protect customers’ privacy. Paradoxically, though, regulators generally are requiring insurers to retain more and more customer data, to identify anti-money laundering, fraud, terrorist funds (FICA) etc. How will insurers find ways to resolve this paradox in a compliant manner?
TRACKING THIRD PARTIES
The insurer must, in terms of a written contract, ensure that a third-party (operator) processing data on behalf of the responsible party establishes and maintains the required security measures. The third-party must:
- Process personal information only with the responsible party’s knowledge, or authorisation, and must not disclose it unless required by law (or in the proper performance of their duties).
- Immediately notify the responsible party where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.
Under PoPI, a written agreement relating to third-party access to personal information and customer consent is normally required, but not necessary in all circumstances. Insurers who offer customers access to their data via self-service capabilities and give third parties access to the data stored in their systems and software must be able to track whenever and wherever personal data has been accessed, no matter the channel.
The regulator and data subjects must be informed, within a ‘reasonable timescale’, where there has been
a breach of personal information.
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. A breach is more than just losing personal data; it includes any misuse, hacking, data sales, or any unauthorised use.
The regulator may direct that a data breach can be publicised if there are reasonable grounds to believe that publicity would protect an affected customer.
A breach may come to light via:
- The individual ‘data subject’, via a complaint to the information regulator
- The insurers – there is a PoPI requirement for organisations to notify the information regulator and the data subjects of any compromises of their personal information
- The information regulator where s/he has initiated a review or investigation of an organisation’s compliance, which they are empowered to do under PoPI
TWO CHOICES FOR POPI COMPLIANCE IN SOUTH AFRICA FOR INSURERS
Despite the headaches that the Protection of Personal Information (PoPI) Act will undoubtedly create in South Africa, there are some potential benefits. Many insurers have a significant number of long-term policy holders who have been largely forgotten, especially considering that insurers have some of the lowest customer-touch levels across all financial services industries verticals.
PoPI might be the mandatory nudge that gives insurers the opportunity to re-establish communication
with these long-lost souls and start to build a meaningful customer relationship. They can also leverage their renewed connection to sell innovative services, creating new revenue opportunities and reengaging with customers. After all, it’s a much bigger investment to gain a new customer than it is to expand a relationship with an existing one.
1.1 TWO FUNDAMENTAL CHOICES
Insurers must comply with PoPI within the designated timescales, but the key question is how do they adapt? Compliance will require a major reworking of their existing software, systems, data management processes, and governance controls to support PoPI compliance.
They can undertake this in one of two ways:
1. Adapt Existing Core Insurance Systems and Processes – insurers can make significant changes to their current in-house core software and administrative systems by ‘wrapping’ them with supplemental technologies (such as data passporting) and manual processes. However, this may not necessarily make it easier
to prove compliance and will undoubtedly be labour and resource- intensive, and potentially costly. One of the key challenges in this regard will be that as data moves through an insurer’s systems and processes, the PoPI requirements will vary (at the underwriting stage, data may have to be with third parties, such as reinsurers). Understanding, documenting, and controlling the requirements as personal data “moves” through an insurer’s process will be a massive challenge without automation.
2. Implement New Digital Platforms
– or they can implement a new, up-to-date policy administration system (PAS) and digital customer engagement technology, with automated compliance. This approach will provide the option of full digital transformation, potentially touching every area of their business. This will include unearthing new business opportunities, providing a unique customer experience, benefiting from robo-advice, cutting operational costs through automation, reducing headcount, and more.
A MODERN PAS/DIGITAL SUITE
As previously mentioned, insurers will have to adapt their core administrative and CRM systems and processes for PoPI compliance in one of two ways. The first approach is for insurers to use in-house or outsourced IT professionals to adapt their current core and data systems for compliance. This is not necessarily a quick fix and could easily cost major insurers millions, with no guarantee of success.
An alternative approach is to take the same budget required for an in- house solution and invest in a new, modern core system(s), pre-designed to comply with PoPI requirements and integrated with a digital platform. In addition to automated compliance capabilities, this approach offers enriched functionality that can enhance an insurer’s business model by touching almost every aspect of the business. With customers demanding a vastly improved user experience, this may be the only option for some insurers.
To achieve this, insurers require a digital platform coupled and pre- integrated with a modern policy administration system (PAS). Such a combination could not only reduce long-term costs, but also provide a platform to introduce new innovative products and services.
For additional information, please check out my NEW white paper, PoPI Challenges and Solutions for South African Insurers at www. sapiens.com. It examines all of the challenges facing insurers on the road towards full PoPI compliance, as well as some opportunities that will likely result from the regulations, and how insurers can maximise those opportunities.