Data forms the foundation for every business now, its use influencing everything from daily interactions to ongoing strategy. Consequently, The General Data Protection Regulation (GDPR) – which comes into force in May 2018 – is going to have a wide reaching impact, for the insurance industry and beyond.
The GDPR brings with it a new era of accountability in which increased demands are placed on businesses when it comes to holding and processing data. For example, there is a new requirement to complete a Privacy Impact Assessment before carrying out activities where data use presents a ‘high risk’ to the rights and freedoms of the individuals it belongs to e.g. large-scale sensitive data processing. Internal systems must now be governed by the principle ‘privacy by design’ i.e. with data protections built in and the GDPR also gives the ICO wide ranging powers to compel businesses to produce records, policies and evidence of compliance. A new era of accountable transparency has arrived.
One of the biggest changes the GDPR will introduce relates to the consequences of a lack of compliance. Currently, insurance brokers could face ICO penalties of up to £500,000 and unlimited FCA fines. However, the GDPR vastly increases the power of enforcement with a top level of 4% of annual worldwide turnover for the previous year or EUR20 million. As data protection breaches become increasingly high profile – and reporting of breaches becomes mandatory - there are reputational costs to consider too. The ICO will also have a range of new powers to combat data breaches, including issuing an order to cease operations or to notify all those whose data has been affected.
Other key changes to note
The GDPR is going to have a wide-ranging impact on many areas of business but there are some key changes that will have a particularly significant effect.
Privacy notices. There are new, stringent requirements for what must be included in privacy notices and when this information should be provided, often dependent on how data has been collected. Now is a good time for brokers to review privacy notice policies and how data is obtained.
The ‘right to be forgotten.’ The GDPR will give an individual the right to ask a business to destroy all data held about them unless certain circumstances apply (e.g. it’s required to defend a legal claim). This means that new, watertight procedures must be put in place to handle data erasure requests.
Other rights. Two other key rights will come in with the GDPR – the right for data subjects to object to profiling and also a right to data portability, which covers information given to a broker by clients, which may have to be profiled electronically so it can be taken to a new broker by a consumer.
Data Protection Officer (DPO). The GDPR requires a DPO to be appointed in specific circumstances (for example where volumes of data belonging to a special category, such as healthcare data for medical insurance, are being processed). This can be outsourced.
New notification requirements. Businesses now have 72 hours to report security breaches to the ICO and data subjects must be notified individually where the consequent risks of a breach are high.
Insurance software is one very simple way to clean up internal data handling processes and make procedures more accountable and transparent. If you’d like to take the first step towards GDPR peace of mind today then get in touch today by calling Mandon Software today on 01708 922850.