9 Questions that can help you build your plan for GDPR
The General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018 and centres around how businesses collect, store, process and share information they hold. This could be for example information on customers, staff, suppliers or prospects. The three core areas are consent, deletion or the right to be forgotten and portability. Despite the UK’s decision to leave the EU the government has confirmed that will not affect the commencement of the GDPR. The law is already in place but May '18 marks the start of when the fines can be imposed on firms in breach of the regulations. The maximum fine is increasing from £500,000 to 20 Million Euros or 4% of global annual turnover. However, insurance brokers are already governed by the UK Data Protection Act 1998 (DPA) so should not see a huge amount of change required and there are several positives that the legislation creates (I cover these in a separate article).
The legislation comes from the Information Commissioners Office (ICO) and not the Financial Conduct Authority (FCA) simply because the regulation applies to anyone who collects, stores and processes data, not just financial institutions and the insurance market.
There is a wealth of information on the ICO website including details of how to register, if you have not already (it costs most firms £35 per year) but here I have tried to break down the three key themes.
Consent
Under the legislation consent is about having the client’s explicit permission to use their data and to be transparent about what that data is going to be used for, the purpose of collecting the data must be lawful. Lapsed client data can no longer be used to re-solicit business without prior consent. In addition, you must also be able to provide evidence of the consent provided if you are asked to do so. The material available from the ICO talks about the lawful basis for processing data, and I think most insurance brokers are comfortable that the information collected is for forming a contract and is used only for the purpose for which it is intended but brokers do then need to make sure that the security of storage and transmission are ensured. Where brokers are sending marketing material to clients and prospects the must be evidencing that they have consent and making sure that they are clearly setting out what clients can expect to receive from them. Part of the regulation talks about “legitimate interest” which could mean sending a client information about another insurance product which the broker thinks could help them protect their assets but with all new legislation this is yet to be tested and the ICO are a little vague on this.
Three things to consider:
1. Do you have consent to contact clients/prospects?
2. Could you document when consent was received?
3. Have you updated your privacy statements setting out how information is collected, stored and shared clearly avoiding pre-ticked options?
Deletion
Deletion is the right to be forgotten, this seems straight forward but there is the question about historical information held for example, for an employer’s liability claim or proof of historical insurance. Insurer's will have a huge challenge in this area for pricing algorithms and claims forecasting. It is important to remember that this is not an absolute right to be forgotten individuals have a right to have personal data erased and to prevent processing in specific circumstances including where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed and where the individual withdraws consent. The right also apples where the individual objects to the processing and there is no overriding legitimate interest for continuing the processing. There are some specific circumstances where the right to erasure does not apply and firms can refuse to deal with a request, for example, to comply with a legal obligation for the performance of a public interest task or exercise of official authority.
Three things to consider:
1. Do you know where and how all your data is stored? Electronically/Paper/Archive
2. Do you have a process for deleting old prospect data?
3. Do you and your staff know what to do if they receive a request to delete client (past/present) data?
Portability
The right of data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way. This means that brokers will be obliged to provide individual client files on the client’s request, for example, to present them to a new broker. The requirement relates to data supplied by the client and does not extend to data generated about them. Requests must be completed within one month of receipt (currently 40 days) and the data provided back to the client needs to be electronic and in a commonly used format.
Three things to consider:
1. Do you know who within the business would respond to a client request to produce their data?
2. Do you have a process for responding to a request from a client?
3. How would you explain to a client why you need to hold their data or why it couldn’t be deleted?
Please feel free to drop a comment or question below, this is still an evolving topic so I will be trying to update it as more information becomes available.
Notes to the reader
This document is created from my own research and material available at time of writing (25/01/18). I am not a GDPR expert and the information contained in this document should be used for guidance and should not replace your own due process, compliance regime or sign off process.
