The new EU data protection rules come into force on 25 May 2018, replacing the Data Protection Act (DPA) 1998. The General Data Protection Regulation (GDPR) aims to harmonise legislation across all EU member states by ensuring that organisations properly file and organise their client records, control such data, and act in accordance with the consent granted by the client. The implementation of the GDPR is unaffected by the UK’s decision to leave the European Union.
RWA has prepared a briefing document, which summarises what we know so far and outlines its applicability to the insurance sector.
In the UK, the Information Commissioner’s Office (ICO) will be responsible for supervising and enforcing the new data protection laws and will have powers to carry out audits, which could result in orders for firms to cease their operations. If breaches are found to have occurred they will notify the individuals of the breach; rectify, restate or even delete data; prohibit or suspend data processing; and stop a firm sharing information with other parties.
Whereas the ICO can currently issue a fine of up to £500,000 for major breaches of the DPA 1998, the new GDPR allows for much stricter penalties:
- A firm can be fined up to €10m or 2% of global annual turnover (whichever is higher) for not organising records appropriately, for not notifying the ICO and data subjects about a breach, or for not conducting impact assessments.
- A higher fine of €20m or 4% of global annual turnover (whichever is greater) can be imposed for violating the basic principles of data security or violating consumer consent.
So, it is easy to see that this is an extremely important area for insurance brokers (and indeed any firm which handles data) to consider over the next year or so in order that appropriate systems are in place, and staff receive training about the requirements of the legislation.
There are a large number of firms selling training or consultancy services at the moment. Our advice would be to proceed with caution, as we have seen wildly differing interpretations of GDPR requirements from different providers.
The GDPR is a complex piece of new EU legislation and much is a matter of interpretation. As time goes by, we may see some additional clarity or guidance from the Information Commissioner’s Office.
We would also recommend that guidance is sought from the ICO if in any doubt.
To download a copy of the RWA GDPR briefing document, click here.
If you have any further questions, please contact a member of the RWA team.