With issues around data protection and cyber security increasingly in the news these days, the forthcoming implementation of the The EU General Data Protection Regime (GDPR) is a big deal for UK companies of all types and sizes. There’s less than a year to go now before the GDPR comes into force, replacing the existing UK Data Protection Act 1998 (DPA), and it’s a topic we’re increasingly being asked to provide training on for our clients, who are mostly in the insurance and financial services sector.
One question we’re often asked – and it’s an easy one to answer – is whether Britain’s leaving the EU means UK companies don’t need to bother with GDPR. The short answer is they do. Brexit or no Brexit, the UK is committed to implementing the provisions of the GDPR regime, even if the precise details may need some tailoring depending on where we end up in the forthcoming negotiations with the EU 27.
Brexit or no Brexit, the UK is committed to implementing the provisions of the GDPR regime
The main purpose of GDPR is ensuring data protection regulations are applied consistently across all EU countries. Insurance is a data intensive industry. Brokers and insurers need to gather large amounts of potentially sensitive data about their customers in order to match appropriate insurance solutions to their precise needs. This underlines the crucial importance of instilling a culture in which insurance organisations keep a tight rein on the type of data they hold, why they hold it, and for how long.
A key theme in GDPR is its insistence that ‘data subjects’ (i.e. current and potential policyholders about whom data has been collected) remain the ultimate owners of that data. Rather than relying on any more general assumption of consent, insurance firms – like any other business – will now need to obtain individuals’ explicit consent for their personal data to be used for a specific purpose.
Individuals gain new protections in terms of having ready, free and transparent access to details of any data held about them. If any data held on an individual is incorrect, companies will now be obliged to rectify or delete this and advise any third party with whom incorrect information has been shared within a month (two months for more complex cases). Individuals also gain new rights to restrict how their data may be processed – and to obtain and export their data from one IT environment to another where it suits their purposes to do so (for example if they want to request an alternative quote).
There are also new requirements on data breach notification, which insist that companies must notify the relevant supervisory authority, within a maximum of 72 hours, of any theft, misuse or loss of control over data they hold. Like any other business that processes large amounts of customer data, insurance firms are an attractive target for cyber criminals. That makes keeping customer data safe from outsiders – as well as from internal misuse – a top priority for businesses in the sector.
Firms who fail to comply with these new requirements face potential fines of up to 10 million Euros (that’s probably near enough £10m by the time you read this!) or 2% of turnover. On which basis, it will clearly by very important to make sure staff at all levels understand the need to flag up any potential breach, or loss of control over data, immediately they become aware of it. Beyond the financial cost, there is reputational damage to consider. Customer trust is something no intermediary or risk carrier can afford to squander.
There are many other specific and detailed provisions. Some are entirely new. Others merely consolidate or extend what was left implicit or less fully developed under the DPA regime. It’s important for all UK firms to acquaint themselves fully with the detail between now and May next year. But before you panic too much, it’s probably worth stressing that any company that was already well up to speed with the DPA rules will not have too much difficulty preparing for GDPR. Record keeping and accountability are key, so keeping detailed records of when and how customer data has been used is fundamentally important.
Rather than seeing any of this as unwelcome red tape, it is also worth bearing in mind that a data breach (and the repercussions thereof) is something no business in its right corporate mind would want to bring upon itself. In promoting prudence, transparency and good governance, the new regulations benefit data processors as much as data subjects.