Terence has over 35 years' experience in the Financial Services environment, covering general insurance, investments and mortgages.
The new General Data Protection Regulations (GDPR) comes into force on 25 May 2018, and from that date, all firms in all industry sectors (FCA / PRA regulated or not) will need to make significant changes to the way they deal with their data.
This is the biggest shake up of data protection rules for over twenty years and is designed to bring these rules up to date with both technological changes and the way people interact with businesses. These changes will impact on virtually every company in the UK.
Given advances in how data is processed, firms will need to review and make a number of changes to their documentation, data policies, and processes.
The ICO has developed a microsite at - https://ico.org.uk/for-organisations/data-protection-reform/ and we urge all firms to review this on a regular basis.
Some of the main areas to consider:
This is one of the major problem areas. A firm may not need consent to process data for its business purposes, but it will need consent for marketing.
The business purpose being that unless the insurance broker can process the data, it cannot provide a quotation or arrange cover.
However, marketing could include an insurance broker’s duty to alert clients to covers, which would be beneficial rather than just trying to generate sales. For example, a Limited company should consider the cover under a D&O policy, so if an insurance broker starts a campaign to alert its commercial clients of the benefits, is this marketing or part of the brokers duty to make clients aware of products they may need?
There may be a possible exemption to this, but it is not clear as to how these are defined.
So, there may need to be a further level of consent which must be opting in with affirmative action.
Data Subject Rights
This should not initially pose an undue burden.
These are to apply from 25 May 2017, but the ICO has indicated that guidance may not be available until July 17.
This is a major issue as an insurance broker has to define legal bases and include the appropriate marketing detail. Given the complexity of rules around consent and processing, this may not be easy to construct and it may not be a “standard” text.
Demonstrating compliance is going to be problematic and will possibly mean much more monitoring and auditing for a firm and a rewrite of many internal procedures.
The privacy impact position must be reviewed on an individual basis and be clearly documented. This is likely to be a long-winded process.
Data Protection Officer
This should not affect most small/medium sized firms and can be a voluntary appointment here. But, if a voluntary appointment is made, it brings in the full raft of data protection requirements as applied to that appointment. So, a voluntary appointment needs careful consideration.
Data Security & Breaches
This should not pose an undue burden.
There are new rules on large scale processing of data, but this is not defined and does this mean, for example, that large call centre operations are caught by the new rules?
There are also new rules for “high-risk” processing, but again, this is not clearly defined and will be down to a Privacy Impact Assessment, which must be carried out for “high risk” activities.
Transfers outside of EU
This should not affect many of our clients, but where firms are based overseas or have overseas outlets, there may be issues, again, clarity is needed.
Firms and their senior managers need to be aware of how seriously this has been ramped up, but it is unclear as to what appetite or resource the ICO will have to fully enforce all of this, particularly with reference to monitoring and auditing.
Summary & Next Steps
There is a significant amount for insurance brokers to grasp here and given the sheer volume and complexity, it’s going to take some time to determine what is actually needed and when. The lack of clear and timely guidance from the ICO is not helping.
This will be particularly relevant around three main issues, Privacy Notices, Consent (both of which need to be covered in the TOBA), and Basis of processing.
There are also concerns about how data is kept on employees, past and present, which is also unclear. So, it is not just an issue for clients but also for employers relating to how they manage and store data.
There is a wealth of “guidance” in the public domain, but much is unclear and complex at this time and indeed some of quite poor quality, conflicting and lacking in basic detail.
RWA will be watching developments and will try to offer advice where we can, and we will certainly be updating the AVIVA Development Zone modules and the Template documents at the appropriate time.
However, insurance brokers do need to be aware of what is coming and start to think how they will approach the issue and what resource they will need to devote to this. Ultimately, legal advice may be needed to determine an individual position.
Regular business news and commentary delivered direct to your inbox each week. Sign up here