The Internet of Things is not a new concept, particularly to data protection professionals. It describes the network of physical objects that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet.
Financial services organisations have an obvious interest in the data produced by these devices, as it often provides behavioural insights which can be leveraged to offer more tailored and relevant services or prices.
For more on the data privacy challenges and regulations faced by financial service organisations, download our data privacy in financial services guide.
Open Banking
Since 2018, Open Banking rules have meant the UK's largest banks have to let you share your financial data with authorised providers, granting them read-only access to things like your spending transactions and regular payments.
Providers ask for consent to access the information and then request the information (along with the approval) from the bank. The banks will share this information via application programming interfaces (APIs), and then the provider can access things like bank balance, direct debits, and so on.
This can be beneficial, for example, in budgeting and debt management. One subscription and tracker app in the UK uses open banking to offer total visibility of outgoing subscription payments, as well as the ability to cancel and switch subscriptions within the app.
Connected Cars
Connected cars use various types of connectivity to communicate and exchange data. Increasingly, insurance companies are leveraging this data for a variety of purposes.
Ford, for example, outline that “the data from your vehicle will be used for insurance purposes. For example, this could be to support a Pay-As-You-Drive policy (usually priced based on the miles driven) or a Pay-How-You-Drive policy (primarily focused on your driving behaviour). The data may include location and driving characteristics (e.g., speed, acceleration, distance travelled).”[2]
It is easy to see how access to this data could provide an insurance company with a much clearer picture of the individual requesting a quote for car insurance, and the statistical ‘risk’ group they fall within, which allows for a far more accurate price. This ultimately benefits the insurance market, as the insurance companies are having to unexpectedly pay out on claims less frequently and where they are, they were expecting it, and the premiums were priced accordingly at the inception of the policy.
Smart Homes
A connected home or smart home is one with a network of gadgets that work together to monitor and automate the things you usually do around the house. These can include security systems, such as sensors, locks and cameras, smart thermostats and connected water sensors which can detect a leak before the damage is done.
Similarly to connected cars, there is a natural interest in smart homes from insurance providers. Some are even offering dedicated packages that provide the hardware and the app if you agree to share the data.
Connected Health
The final example, which follows the same themes as those above, is connected health devices. Smart watches and heart rate sensors have become incredibly popular and insurance companies, again, have designs of using that data to better understand their customers.
One provider, for example, will provide an Apple Watch if you link the Apple Health app to their member app, enabling them to track your activity.
Whilst this sounds intrusive – and some will still consider it to be – there are benefits; according to results recently presented by Discovery Vitality, there is a 18% reduction of hospital and chronic claim costs for the batch of Vitality members that use the Active Rewards System alongside the Apple Watch, compared to the group of insured who do not use an Apple Watch.[3]
Data Protection Considerations
So, what do you need to think about as a data protection professional? There are several complex areas you’ll need to navigate, which we have provided some high-level considerations for below:
Lawful Basis
Above all else, you must ensure that you have a lawful basis for processing the data under Article 6 UK General Data Protection Regulation, as well as a separate condition under Article 9 (as well as any required additional safeguards or conditions under Schedule 1 of the Data Protection Act 2018) if you are processing special categories of personal data or criminal offence data.
Data collected by the device / vehicle must also be done lawfully, and you must undertake the requisite amount of due diligence to ensure that you have assured yourself of this before ingesting and processing the personal data.
Transparency
As a financial services provider – and particularly one receiving data from the car manufacturer, for example – you must determine how you will communicate to the data subjects. Not only that, but the information you do provide must be:
Concise
Transparent
Intelligible
Clear
In plain language
Communicated in a way that is effective for the target audience
Purpose Limitation
Ingesting high volumes of data from connected devices will mean that you must have robust controls in place to ensure that the data is only processed for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes.
Practically, this means that organisations should be clear from the outset on why they are seeking to collect this personal data and what they intend to do with it. This should be communicated to the data subjects prior to processing.
Storage Limitations
Like the above, data should be ingested with a retention period already defined. If you, as an organisation, are clear on your purpose for processing, then you should be clear on how long you will require the personal data for and ensure it is deleted (or other appropriate measures taken) upon expiry of that defined period.
Data Minimisation
Ensuring you only collect and process the data you require is also going to be critically important when the devices in question can generate extremely high volumes of very granular data.
This, again, comes back to your organisation’s defined purpose for processing; it should be agreed and documented, outlining the specific data required to meet that purpose.
Accuracy
How do you ensure that the data being used in decision-making at financial services organisations is accurate? This is particularly important given the relative significance of so many decisions made within the sector, e.g. mortgage applications or insurance cover.
Financial services organisations must ensure there are processes in place to validate the accuracy of all data being ingested from these connected devices.
Rights
Organisations must also consider how the collection and processing of connected device data would form part of fulfilling data subject rights requests, where applicable. You must ensure that you can, for example, provide access to all the data used in the processing activities.
Similarly, in an insurance context, this data may be used in automated decision-making with a legal or similarly significant effect, so ensuring that these are explainable is paramount.
