Insurance Agents Quick Guide To GDPR
Wasn’t it the worst feeling ever when you kept getting emails about the GDPR changes and updates from almost any company you conducted business with but had no clue if you should be doing the same.
It’s easy to think this new law doesn’t apply to you, especially if you are a local agent.
But here’s the thing:
If you collect anyone’s information online, you need to be compliant with GDPR because you don’t know where the people are that are requesting a quote or submitting for information from your site.
Today I will go over what GDPR is and precisely how it will affect you as an insurance agent that is generating leads online.
What Is GDPR?
GDPR stands for General Data Protection Regulations, and it was created to protect the information of any customers based in the European Union.
This means that if you have just one customer or lead that lives in the EU, you could be held liable if your information is hacked and fined by the EU.
GDPR is primarily being used to give EU residents more power over who is using their data and how their information is being used.
We Do Have A Quick Disclaimer: It is not our intention to give you legal advice or decipher this law for you. We are insurance agents just like you and are giving you a general overview of how to protect yourself. Please be sure to consult your legal counsel for any specifics.
How GDPR Works & How To Implement It
The changes to this law are very complex and below we go over it in a more general way for you to understand how it works.
The Roles We Play
Since you are dealing with customers information, it is our responsibility to keep their data safe, and you must also be able to let them know when, how and where you plan to use their information.
The “Lingo” that is being used to identify your customer is a Data Subject.
As an agent, you are considered a Data Controller and the software or tools that you use to manage your customer's information are known as the Data Processor.
For example, We use Ninja Quoter as one of our Data Processors, below we will show you how it should look:
So when a customer comes to my site, as a Data Controller, I am 100% responsible for any customer from the EU that might get a quote, and I end up collecting their data.
Ninja Quoter isn’t responsible for the customers that get a quote from my site since they are the Data Subjects of Simply Insurance.
Inform Your Customers
You need to tell your customers how you plan to use their data, how you won’t use it and when you will be finished with it.
Have A Legal Reason To Market
With GDPR you are required to have a legal basis for any reason you use someone’s information.
So if you market to them or sell them products, you need consent from them.
Informed consent means that the customer gives you explicitly consent to process their information or data and agrees to receive communication from you
To make “informed consent” as your legal basis for collecting their data there are a few things you have to consider.
If you have consent boxes on your site, don’t pre-check them, make sure the customer has to check the box.
Be able to show proof that the customer consented to your marketing.
The best way to add this to your site is to add GDPR compliant consent boxes to any forms on your site.
You can also tag them if you use email marketing products like Infusionsoft.
Performance Of Contract
When you perform a contract, or someone makes a purchase from you, you will need to process their data to accomplish what the contract requests.
This could be something like quoting the customer, helping them complete an application as well as delivering an approved policy.
When you are performing a contract, remember that you can only perform what was agreed upon, so avoid doing too much cross-selling.
Ability To Be Erased, Withdraw Consent or View
You have to make it easy for a person to be able to remove themselves from your records completely.
It should also be straightforward for them to withdraw consent as it was for them to give you permission to market to them.
If you have a business relationship that ends and you are still owed money, you may have the legal right to keep that customer's data.
However, you should immediately stop all marketing efforts to that customer.
If a customer makes a request, it is up to you to follow through with that request, and failure to do so promptly can result in fines.
To set this up it might be different depending on the software you are using but be sure to make it easy for them to either email someone or set it up for you to be notified if such a request is put through.
Your customer also has the right to know if you are using their data.
If their data is being processed then they have have a right to know what's being processed and should be able to request access to see it in a portable and friendly fashion.
You could accomplish this by simply taking a screen shot and emailing it to the customer upon their request.
Ability To Fix Their Record
Your customer has the right to also request that their records be corrected if they are showing up incorrectly.
You should take care of this promptly and make sure no other information needs to be updated at that time.
Designate A Data Protection Officer
This part is very tricky especially for us as agents.
The law dictates that you should appoint a Data Protection Officer or DPO, this is just someone that can give you guidance to ensure you're in compliance with GDPR.
You will also need to appoint a Cheif Data Security Officer (CDSO).
A CDSO will be the person handling any complaint regarding security and privacy.
You can appoint yourself as this person since most of us are one man or small agencies.
Just make sure whoever you put in this position is someone who can be reached easily.
Finally, you will need someone who actually is an EU citizen or resident to handle any data or security issues in the EU individually.
While I don't see this being an issue for most of us, if you find yourself with a substantial number of clients in the EU then it's best that you hire out a third-party company to handle this issue.
Why It Matters To You (A Local Agent)
In 2018 things have changed drastically, the world is much smaller and the days of going door to door to sell an insurance policy is a thing of the past.
The age of information, fintech, and insurtech are upon us, and the technology is allowing us to sell insurance over the phone and online without ever having to meet in person.
This new way of doing business has made it essential to have new guidelines for conducting business and how we handle information of our customers is important.
If you have just 1 customer in the EU sign up for your newsletter or get a quote on your site, you can be held liable if something happens to their information and the sanctions can be enormous.
There is also a probability that this new GDPR will set the standard for protecting the information of people in other countries and eventually the US.
If this happens, it is best to be prepared now for that situation than later.
As an insurance agent, we are always on edge when it comes to staying in compliance with the law.
After reading this post I am hopeful that you feel a bit better about dealing with the GDPR law.
Don't waste any time putting all the things I talk about above into play.
It is imperative that you get things in order so that in that off chance the laws in the US change or you find yourself with data from an EU customer, you are protected.
I would reach out to any of the data processors that you currently work with and see what other tools they use to assist you with staying GDPR compliant.