By Keavy Murphy, Manager of Cyber Risk & Compliance at CMT
Originally published in DIGIN, 1/28/2021

In order for insurance companies to maximize the potential of personalized, behavior-based telematics insurance policies and connected claims systems, drivers have to trust that their personal information is safe, secure, and used only for intended purposes.

The opportunity to build that trust – and the technological and procedural systems that ensure it – is now, while the sector is still young. That means there’s no time to waste in building privacy by design into your telematics programs starting today. 

Privacy by design is an engineering approach gaining significant amounts of attention as the world shifts its focus in 2021 to the importance of data protection. The benefits of privacy by design go beyond simply complying with regulatory requirements; it allows an organization to demonstrate that they are prioritizing the consumer in regards to their data protection expectations.

While meeting regulatory obligations is a necessity for any company that handles significant amounts of personal information, keeping the data of the user private throughout the lifecycle provides benefits far beyond a simple compliance checkmark. It signals that a company puts the consumer first – which allows a brand to truly succeed. When you put the privacy needs of your users ahead of anything else, that good will leads to adoption of your product and continued engagement with the services you provide. It is a win-win situation for both businesses and consumers. 

Transparency is a critical element of any successful data privacy strategy. Allowing users to know how you collect, store, and use their driving information creates a trusting privacy relationship between your organization and your consumers. Transparency not only allows you to be ethical in your data handling practices, but it also sets you up to be an organization with greater adoption of your telematics offerings. In 2021, data privacy is a priority for the majority of consumers, especially for products that collect significant amounts of personal driving information – think of the new iOS “Always Allow,” where users are asked via push notification to consent to location tracking information. Being a business known for transparency and honesty about data use practices is appealing for users, regardless of the industry. 

An actionable step to being transparent about data use is to use plain language when communicating to your users about how you manage their driving information. Avoid overly technical jargon and be explicit when explaining your processes and procedures regarding data, particularly in your company privacy policy. 

Do Not Sell My Personal Information
In a world where big data sales are king, there are still a multitude of benefits to being an organization that does not sell personal information. For one, it eliminates the often laborious process of managing and responding to customer data requests that tell a business not to sell an individual’s personal information (per the user rights set out by GDPR and CCPA legislation). More importantly, it further develops the trusting privacy relationship between you and your users: it signifies that your business takes the data protection concerns of its users seriously and demonstrates that you will not put the driving information of your customers at risk in the name of making an easy profit from a data sale. 

Prioritize Privacy: Global Standards Organization
As an engineering framework, privacy by design necessitates a need for regular external audits and assessments. Partnering with reputable and credible global standards organizations, such as the International Organization for Standardization (ISO) is an actionable way to show that your business makes privacy part of the entire data lifecycle.  

Aligning your business with a leading standard-setting body has two benefits. It determines the adequacy and strength of your internal controls and processes, while also denoting to your users that you do what you say you are doing in regards to their personal driving information.   

Stay Ahead of Emerging Legislation
Privacy legislation is unavoidable in 2021. Regardless of where a company is located, they will have to comply with stringent rules for data use and management, especially in areas such as the European Union or California. 

Fortunately, compliance does not have to be an onerous task for an organization – simply watching the courts and subscribing to reputable privacy and security publications will ensure you are staying ahead of continually shifting data protection laws and regulations. This is a key function of the privacy by design framework, because it means you will be prepared to be in compliance with emerging legislation when it becomes official law. 

Perform Regular Audits
Protecting your users by implementing privacy by design includes conducting ongoing audits to confirm your credibility as an organization that manages personal data. Audits, whether done by internal staff or external firms, can provide verification that your privacy controls and systems are as you say they are, to your users. 

For your business, audits will indicate if you have gaps within your privacy program, or if there are areas for improvement. It will provide an enhanced layer of protection for your company, as audits tend to efficiently indicate where your privacy posture needs to be further developed and strengthened. For your consumers, audits will show that you are properly following major data privacy laws, and also evidences your integrity as a company committed to data privacy. 

Put simply, audits say you are not fearful of having checks of your systems and practices. As an organization, performing regular audits demonstrates you are not afraid to have the strength of your privacy program tested and to see where you are able to further improve. 

Prioritize Privacy: Partnerships
Partnering with other organizations that also make data privacy a key element of their business is another critical piece of implementing a privacy by design framework. Since consumers are looking to be in control of their personal information, especially data related to their driving habits, it is crucial that an organization ensure that other businesses they partner with (especially subcontractors) also make privacy a indispensable priority. 

Consumer trust often trickles down into third-party partnerships. When a user is aware of what subcontractors you use, you want to guarantee that these third-parties are also utilizing the privacy by design framework. Choosing reputable partners who also focus on data protection is a simple way to indicate that your company is proactive about privacy and has embedded it as a core function of telematics technology design. If a telematics partner needs to sell data to augment its telematics revenue, it’s probably not a great telematics product. 

An actionable way to assess partners is to conduct a vendor assessment during the procurement process that specifies data privacy as a criteria. Asking third-parties how they handle data, whether or not they sell personal information, and evaluating their technical security controls is a solid due diligence. In addition, the vendor assessment process gives a competitive advantage to your business: telematics consumers care about privacy and will choose a company that prioritizes it, over a company that does not.

The telematics space is still relatively green, which means making privacy a priority is critical to encourage user adoption of this emerging technology. Implementing a privacy by design structure is an excellent way to assuage the data protection concerns of the consumer, and should be treated as the number one priority in developing a trusting privacy relationship between you and your users. 

If your business can embed privacy by design into its processes, being able to guarantee to drivers that their personal information is safe and secure will not be a burdensome function: don’t sell your users data, watch for emerging data privacy legislation, and remain transparent in your management of personal information.