Insurance company ZLM scores high for customer satisfaction. Will GDPR change that? Managing director Marinus Schroevers warns: ‘If the customer does not give explicit permission to do something with personal data, stay away from it!’
At Goes-based ZLM, employees have no sales-based targets or bonuses. Is this about cost-cutting? No.
If employees have the time to talk to customers instead of feeling pressured, they enjoy their work more. Happy employees are the best guarantee for happy customers, Schroevers says. ‘Independent customer research by the Dutch Association of Insurers has ranked ZLM top for some years,’ he says. ‘On average, customers give us 8.2 out of 10 for our customer focus, expertise and transparency. I want to keep it that way.’
The strategy is working: ZLM is outperforming market growth, makes a profit each year and has a healthy solvency ratio of almost 400% – something most insurers can barely imagine.
Schroevers has been working for ZLM for 27 years. He started as a claims handler at the bottom of the tree, climbed steadily and has been managing director since 2016. He sees the enforcement of GDPR as an opportunity above all: ‘This legislation means we have to deal with customer data more carefully,’ he says. ‘That’s fine, and it could give us opportunities to work in a more personal way. It also forces us to think carefully about what we want with all that customer data in future.’
What social effects will GDPR have?
'Digitisation is happening at record speed so it is good for companies, employees and consumers to stop and think about the importance of data privacy. After all, what has been happening with their data? This type of legislation usually stems from a series of undesirable incidents. That is a shame, because it increases the risk that politicians will start reacting to individual incidents.’
How far should companies go with data?
‘You have to be careful. This subject gets tricky very quickly. ING wanted to sell customer data to other companies a few years ago, to offer their clients personalised adverts. But there was a public outcry and they quickly abandoned the idea. This makes it clear that as an organisation you always have to start from what your customers wanted when they gave you their data. Even if you are 100% convinced that you are helping customers, if they not given explicit permission to do something with their data, stay away.’
How are you dealing with GDPR in ZLM?
'We have formed a working group including our compliance officer, the head of information management, a corporate lawyer, the security officer and me. Our compliance officer, who also deals with data protection, is almost entirely occupied with GDPR work. Our philosophy is to do as much as possible ourselves. But we do work with external advisers who assess the extent to which we are already GDPR-proof and come up with tips for improvements, if needed. You really need that support from the outside – that’s my experience.'
filling in loads of extra boxes’
What is your personal involvement?
‘I think that GDPR is something where the buck stops with me as MD. It really affects our employees, who have to deal differently with capturing, managing and deleting data. They need to be much more aware – there’s no getting around it. But I really value their happiness, and I’m not sure GDPR contributes to that. They don’t enjoy filling in lots of extra boxes on their computer screens. So I am keeping an eye on the right balance between laws and regulations, and job satisfaction.
Which privacy risk keeps you awake at night?
‘My big worry is the use of ransomware, software that allows cybercriminals to “hijack” your data files. This is data that is meaningless to them, but essential to your firm. They only give you access to your data again after you pay a ransom. Taking data hostage could wipe out your structural processes. That would be a real problem for us.’
How do you ensure all your employees know enough about the implications of GDPR?
'I can see this is something people are talking about more and more in the office. That’s of course because of media attention, like the recent song and dance about Facebook. We have modified lots of employee guides, for example what you have to do when a customer asks to be forgotten. And we talk about our progress on the intranet every week. We are training employees on the new way of working, and the induction programme for new staff goes into GDPR in detail. After the summer, there will be an obligatory extra e-learning module for everyone; then, we will have had a few months of GDPR enforcement and supervisors will have an idea about what’s most important.
How important will customer data be in ZLM’s strategy after the enforcement of GDPR?
‘In terms of marketing, it will no longer be important to segment target groups. Consumers don’t fit into set boxes anyway – their behaviour is erratic. The positive thing about collecting all this customer data is that you can approach people more and more personally. Most of them are already used to the fact that companies know a lot about them. Management author Steven van Belleghem says in his book Customers the day after tomorrow that you should draw up a data plan: how do we deal with customer data now and in future? At ZLM, we try to deal with it as best we can, within the limits of what GDPR allows.
You advise many major internationals both in the Netherlands and abroad. How have you convinced your clients to deal with security and privacy protection?
‘I help my clients to make the right decisions when it comes to technology and innovation at board level. I recommend they use the help of both in-house and external experts to take the appropriate steps to ensure proper security and privacy protection. For years, I have been urging them to place a responsible disclosure policy on their websites. This is a policy addressed to white hat hackers who are happy to report any weaknesses in your systems that they find. They are the rock stars of tomorrow. They deserve not only to know where they stand, but that they will be rewarded.’