Making sense of the new General Data Protection Regulation (GDPR)
13 October 2017
18 September 2019
Policy and Public Affairs
Resources to help you make sense of the new General Data Protection Regulation (GDPR).
What is the General Data Protection Regulation (GDPR)?
The European General Data Protection Regulation will from May 2018 underpin all data protection standards, and replaces existing laws and regulations. It will apply to all organisations (wherever they are) that are holding personal data on individuals in the EU including the UK. The GDPR is designed to provide a clear framework consumer rights on how their data is handled and processed. It fundamentally changes how UK firms can process and handle client and prospect data, from this is stored, what data sets are stored and how communication can be made.
- Background briefing on GDPR
- General Data Protection Regulations 2018 Explained (Video by Nick Gibbons, Partner BLM)
- Data Commissioner’s Guide: GDPR 12 steps to take now (external link)
- Experian’s Guide to ‘Defining the data powered future’ (external link)
What does it mean for me?
Any firm that handles data and/or engages in any form of marketing to the public needs to prepare itself to comply. Non-compliance will result in significant costs not just in reputational damage. Fines by the Information Commissioner’s Office could go upwards of €20,000,000 or 4% of global revenue, whichever is highest. Of course, no one knows for sure if such fines will be handed out, but the ICO has made it clear that it will take a very dim view in the event of a breach of the regulation. As though this is not enough, the FCA has said that ICO penalties could also give rise to their own investigations on Systems & Controls. Finally, there is an updated right for data subjects to claim compensation for damages they suffer from such incidents.
Will this European regulation still be relevant in the light of Brexit?
Yes. The Government has confirmed that Brexit will not affect the commencement of GPDR, but it is possible that questions might arise at a later stage stemming from the negotiations. However it is also worth bearing in mind that the UK Government played a major hand in writing the new laws and it will be transposed fully into UK law, even once the UK has made its exit from the EU.
What firms should do: identify data held
The urgent priority for insurers is to identify exactly what data they hold, how and where this information is stored. This will apply both to existing data storage, which may be spread across several systems, held in different forms or formats and often poorly reconciled. As regards new data, as it comes into the organisation. A key part of this process will be understanding what permissions have been obtained for each element of data held. Where those consents are lacking or insufficiently explicit under the GDPR, it may be necessary to contact customers in order to obtain the right permissions.
Understand how data is used
Firms should also think of how data is used across the business. Under GDPR, firms will have to consider every use-case for their data (both current and in development) in order to establish what remains viable, and what needs to change. That process must take place in every function, such as:
insurers are already using data and analytics tools for fraud prevention, and firms are considering the use of social media to provide evidence of fraudulent claims, but the new regulation on the consent required for data processing may pose a threat to this work.
while telematics helps insurers price policies on a much more bespoke basis, GDPR will limit how telematics data can be used without consent.
- data enables insurers to identify smaller and smaller homogenous pools of risk, particularly by bringing in non-traditional insurance data such as customers’ credit histories and health records – and even data from geo-location tools.
ICO investigations can be the result of consumer complaints (for example the public can report you if you contacted them without consent), or as a result of you admitting a breach yourself. The latter type of reporting must be done within 72hours of learning that a breach has occurred. The relevant consumers would also need to be notified where it is likely to result in a risk to their rights and freedoms. ICO will need to information on the nature of the breach, the approximate number of individuals concerned, categories lost, details of the likely consequences of the breach, and how the breach will be dealt with.
Other resource hubs
A mark of a strong profession is one that builds knowledge and shares good practice in the public's best interests. As a professional body with over 125,000 members, the CII is ideally placed to help financial advisers and planners navigate their way through the regulatory landscape and get to grips with the business development issues that affect them the most. The Financial Conduct Authority (FCA) is a more engaging regulator than ever in sharing examples of good practice, so we can use our positive relationship and regular communications with it to relay and share our insight and experiences with the widest possible range of members.
- Senior Managers & Certification Regime (SMCR)
- Insurance Distribution Directive (IDD)
- Insurance Act »
This document is believed to be accurate but is not intended as a basis of knowledge upon which advice can be given. Neither the author (personal or corporate), the CII group, local institute or Society, or any of the officers or employees of those organisations accept any responsibility for any loss occasioned to any person acting or refraining from action as a result of the data or opinions included in this material. Opinions expressed are those of the author or authors and not necessarily those of the CII group, local institutes, or Societies.