Insurers and brokers have a lot on their plate at the moment: Brexit bafflement, Ogden agony, rate reductions and new threats to their business models but everyone from the smallest high street broker to the largest multinational insurer need to know their GDPR subject matter. Failure to plan ahead means you could find the regulator banging loudly on your door followed up by a gaggle of Google search tags that you really don’t want your customers to be reading!
When I speak to some insurance companies and brokers I still encounter (senior) people who believe that with Brexit, they don’t really need to comply with the GDPR, as it’s a EU requirement. That is very much not the case, the government has confirmed that the UK Data Protection Bill (which includes the requirements for the GDPR) will proceed into law so all UK companies need to be compliant for the May 25th, 2018 time frame.
What Should Every UK Insurer and Broker be Doing?
No matter what their business is, every UK and EU company is likely to hold some Personal Data (if only for its employees), so in readiness, for the GDPR they should follow the below steps as a minimum:
Understand Your Data
Know and understand what Personal Data your organisation collects, how it is processed, if it is made accessible without consent, if it is sent to third parties, and ensure that your agreements with them ensure that they are identified as a data processor. If your data processors are outside of the EEA, you may need an additional contract to be able to legally send the Personal Data to that country and vendor.
Create your data purpose(s)
If you already have a data purpose, then ensure that it is updated and appropriate for use for the GDPR. If not then you will need to create a data purpose, which states what data is collected, why it is collected, how it is processed, who and where (if outside of the EEA) it is processed, how long it will be retained for, and who to contact in case of a data protection query (your data protection officer).
Ensure that you are obtaining the Data Subject’s consent to use their Personal Data and that you are recording their consent(s) so that they can be demonstrated to the Data Subject or a Data Protection Authority in the case of a Subject Access Request, or a complaint. If you have a lot of personal data already that you have no record of consent for, then you may want to look at actively re-establishing consent, in some cases (such as in the provision of an active service) consent may be implied, but you may need to see additional help in this area.
Support the data subject’s rights
Assess your business processes and the functionality of your computer systems to be able to support the Data Subject's rights within the time frames dictated by the GDPR.
Create an incident response plan
The GDPR requires that following the discovery of a data breach or other incident involving personal data that the incident be dealt with in a way that ensures that the Data Protection Authority or the Data Subject can be informed as to the nature and scale of the breach, the action that has been taken, the potential impact on the Data Subjects, all within 72 hours of the discovery of the breach. This requires having an Incident Response Plan that can be followed to ensure that your organisation does not have to establish the process whilst dealing with an incident.
GDPR whilst not as scary as is often portrayed it can be complex. If your business has some complexity in its requirements (such as cross board data processing, or being based outside of the EU) then you should seek help to ensure that your approach is both appropriate and proportionate to your requirements.
In a world where news of a data breach can go viral in a second you need to make sure that your data is compliant and inoculated against incidents that can give even the best business a nasty dose of flu.
To get in touch with Darren Wray about this article, Click Here leave a message and we will pass your details on