In terms of regulatory change, the general insurance firms who comprise the majority of the businesses for whom my firm Searchlight delivers training and consultancy services have a lot on their plates right now.
The Insurance Distribution Directive (which was due to come in to force in February but has been delayed until 1st October) and the Senior Managers and Certification Regime (which will be extended to cover all insurance firms later in 2018), both loom large on the insurance compliance landscape.
A third major landmark is the transposition of the EU’s General Data Protection Regime (GDPR) into UK law in the form of a new Data Protection Act, to replace the current 1998 Act, effective as of 25 May 2018.
That date is set in stone, so homework extensions will not be on offer. Nor will Brexit affect GDPR’s implementation. If we want to continue trading with EU countries we will still need to demonstrate compliance with GDPR requirements, whether we’re in or out.
Frustratingly for insurance compliance people, the precise shape of the Data Protection Act 2018 has yet to be ironed out. A draft act is likely to remain caught up in Parliamentary process for some time to come. At the time of writing the members of the House of Lords were poring over it word by word.
The general outlines are clear enough, but the Department for Digital, Culture, Media and Sport (DCMS) has made it clear that it aims to limit disruption to the current working practices of business in insurance and financial services generally, and this will involve some fine tuning.
Specific derogations (or carve-outs) within the final legislation offer a route to moderating any negative impact on financial services businesses. Insurance firms will particularly be looking for sympathetic treatment in areas such as fraud detection and underwriting at the point of sale.
In the two decades since the 1998 Act, the world of data and data processing has changed almost beyond recognition. Back then, Google was a new-fledged start up, Titanic cleaned up at the box office, and Apple’s original all-in-one Bondi Blue iMacs made their first appearance.
Hardly surprising, then, that European data regulations needed a thorough overhaul. The optimism of the early internet years has given way to a much keener awareness of the downsides to online data transfer and access. Reflecting this, GDPR aims, above all, to restore control and ownership over personal data to data subjects themselves.
In seeking to achieve this, GDPR updates and extends the duties owed by data controllers and data processors. These expanded obligations are backed by a significant increase in the maximum fine the Information Commissioner’s Office (ICO) can impose, up from £500,000 to €20m or 7% of global turnover.
In future, both controllers and – for the first time – processors will have a legal obligation to record and account for what data they have on their systems, the purposes for which they intend using it, who has access to it, and how long they will retain it.
The ICO has made clear that it will take a dim view of imprecision in any of these areas. Herein lies the key cultural challenge for many insurance firms who have historically tended to be better at capturing data than at paying close attention to what happens to it thereafter.
The key rule of thumb is that data should never be retained (at least not in individually identifiable form) any longer than its legitimate use or your legal obligations require. In practice, this will entail insurance firms trawling their records to identify personal data that needs to be deleted, anonymised or pseudonymised.
Lawful bases for processing personal data include doing so with the informed consent of data subjects, contractual necessity, compliance with legal obligations (in an insurance context, this would include identifying fraud), or where it is necessary to protecting data subjects’ vital interests (i.e. where serious harm or death might plausibly result from data being unavailable).
If in doubt on this, or any other aspect of GDPR, the obvious point of reference is the ICO website. Here you can find regular updates on the new requirements as well as the latest available guidance on how to comply. At a recent seminar my firm ran on this topic, roughly half the delegates present indicated that they consult the ICO website once a month or more.
In the run-up to the new Act coming into force, I would certainly recommend this as a minimum. Time is fast running out for firms with work still to do to ensure they are compliant on 25 May.
But the new law is essentially evolutionary rather than revolutionary – and the ICO has indicated that it intends working constructively with UK businesses rather than going in hard with attention grabbing fines in the first instance.
Provided you keep yourself fully up to speed with your duties and obligations under the new Act, and maintain a conscientious and responsible approach to what data you hold/process and why, the Data Protection Act 2018 should not present too daunting a challenge.