The new General Data Protection Regulations (GDPR) comes into force on 25 May 2018, and from that date, all firms in all industry sectors (FCA / PRA regulated or not) will need to make significant changes to the way they deal with their data.
This is the biggest shake up of data protection rules for over twenty years and is designed to bring these rules up to date with both technological changes and the way people interact with businesses. These changes will impact on virtually every company in the UK.
Given advances in how data is processed, firms will need to review and make a number of changes to their documentation, data policies, and processes.
The ICO has developed a microsite at - https://ico.org.uk/for-organisations/data-protection-reform/ and we urge all firms to review this on a regular basis.
Some of the main areas to consider:
This is one of the major problem areas. A firm may not need consent to process data for its business purposes, but it will need consent for marketing.
The business purpose being that unless the insurance broker can process the data, it cannot provide a quotation or arrange cover.
However, marketing could include an insurance broker’s duty to alert clients to covers, which would be beneficial rather than just trying to generate sales. For example, a Limited company should consider the cover under a D&O policy, so if an insurance broker starts a campaign to alert its commercial clients of the benefits, is this marketing or part of the brokers duty to make clients aware of products they may need?
There may be a possible exemption to this, but it is not clear as to how these are defined.
So, there may need to be a further level of consent which must be opting in with affirmative action.
- Obtaining consent from an individual is just one way to justify processing their personal data. There are other justifications.
- It will be much harder for a firm to obtain a valid consent under the Regulation. Individuals can also withdraw their consent at any time.
- As under the Data Protection Directive, consent to process sensitive personal data must be explicit. Consent to transfer personal data outside the Union must now also be explicit.
Data Subject Rights
This should not initially pose an undue burden.
- The Regulation largely preserves the existing rights of individuals to access their own personal data, rectify inaccurate data and challenge automated decisions about them.
- The Regulation also retains the right to object to direct marketing.
- There are also potentially significant new rights for individuals, including the “right to be forgotten” and the right to data portability.
- The new rights however are complex and some clarity may be needed.
These are to apply from 25 May 2017, but the ICO has indicated that guidance may not be available until July 17.
This is a major issue as an insurance broker has to define legal bases and include the appropriate marketing detail. Given the complexity of rules around consent and processing, this may not be easy to construct and it may not be a “standard” text.
- The Regulation increases the amount of information a firm needs to include in their privacy notices. Those notices must also be concise and intelligible.
- This includes specific consents, The legal basis for processing, The name of the Data Protection Officer, the source of data, the retention periods, the recipients of data, and so on. It is unclear what level of information may be needed in such notices.
Demonstrating compliance is going to be problematic and will possibly mean much more monitoring and auditing for a firm and a rewrite of many internal procedures.
The privacy impact position must be reviewed on an individual basis and be clearly documented. This is likely to be a long-winded process.
- Under the Regulation, a firm must not only comply with the six general principles, but also be able to demonstrate that they comply with them.
- If a firm is carrying out “high-risk” processing, they must carry out a privacy impact assessment and, in some cases, consult the ICO authority. This may impact larger firms.
- It may be possible to demonstrate compliance, and comply with other obligations in the Regulation, by signing up to a Code of Practice or becoming Certified. In practice, it is unclear what this may involve.
Data Protection Officer
This should not affect most small/medium sized firms and can be a voluntary appointment here. But, if a voluntary appointment is made, it brings in the full raft of data protection requirements as applied to that appointment. So, a voluntary appointment needs careful consideration.
- A firm may be obliged to appoint a data protection officer. This depends on the processing that they carry out.
- The data protection officer must be involved in all data protection issues and cannot be dismissed or penalised for performing their role.
- The data protection officer must report directly to the highest level of management within the business.
- The data protection officer must have the right professional qualities and expert knowledge of data protection law.
Data Security & Breaches
This should not pose an undue burden.
- The Regulation requires firms to keep personal data secure. This obligation is expressed in general terms but does indicate some enhanced measures, such as encryption, may be needed.
- Controllers must report data breaches to the ICO (unless the breach is unlikely to be a risk for individuals).
- That notification should normally be made within 72 hours. Firms may also have to tell affected individuals.
There are new rules on large scale processing of data, but this is not defined and does this mean, for example, that large call centre operations are caught by the new rules?
There are also new rules for “high-risk” processing, but again, this is not clearly defined and will be down to a Privacy Impact Assessment, which must be carried out for “high risk” activities.
- The Regulation expands the list of provisions controllers must include in their contracts with processors.
- Some aspects of the Regulation are directly applicable to processors. This will be a major change for some suppliers who have avoided direct regulation under the Data Protection Directive by setting themselves up as processors.
- Processors will be jointly and severally liable with the relevant controller for compensation claims by individuals.
Transfers outside of EU
This should not affect many of our clients, but where firms are based overseas or have overseas outlets, there may be issues, again, clarity is needed.
- The Regulation prohibits the transfer of personal data outside of the Union, unless certain conditions are met. Those conditions are broadly the same as those under the Data Protection Directive.
- Full compliance with these rules will continue to be difficult. The new minor transfers exemption is unlikely to be much benefit in practice.
- Requests from foreign regulators are likely to be particularly challenging.
Firms and their senior managers need to be aware of how seriously this has been ramped up, but it is unclear as to what appetite or resource the ICO will have to fully enforce all of this, particularly with reference to monitoring and auditing.
- There is a steep change in sanctions that the ICO can apply. They will be able to issue fines of up to 4% of annual worldwide turnover or €20 million.
- The ICO will have a wide range of other powers. They can audit firms, issue warnings and issue a temporary and permanent ban on processing.
- Individuals can sue a firm for compensation to recover both material damage and non-material damage (e.g. distress).
Summary & Next Steps
There is a significant amount for insurance brokers to grasp here and given the sheer volume and complexity, it’s going to take some time to determine what is actually needed and when. The lack of clear and timely guidance from the ICO is not helping.
This will be particularly relevant around three main issues, Privacy Notices, Consent (both of which need to be covered in the TOBA), and Basis of processing.
There are also concerns about how data is kept on employees, past and present, which is also unclear. So, it is not just an issue for clients but also for employers relating to how they manage and store data.
There is a wealth of “guidance” in the public domain, but much is unclear and complex at this time and indeed some of quite poor quality, conflicting and lacking in basic detail.
RWA will be watching developments and will try to offer advice where we can, and we will certainly be updating the AVIVA Development Zone modules and the Template documents at the appropriate time.
However, insurance brokers do need to be aware of what is coming and start to think how they will approach the issue and what resource they will need to devote to this. Ultimately, legal advice may be needed to determine an individual position.