The General Data Protection Regulation (GDPR) is one of three major regulatory developments due to impact the insurance industry this year. Due to come into force on 25 May 2018, GDPR is, of course, not just something that affects insurance providers. By that May deadline, any UK business that holds personal data needs to be compliant with the provisions of GDPR, which in this country will be enacted in the form of a new Data Protection Act.
There are a number of issues companies need to be aware of. These include the requirements in GDPR around understanding what data they hold, their reasons for keeping it, how they are collecting it, and how that personal data is processed either in house or by third parties. Any firms that haven’t already gone through this thought process, need to do so as a matter of some urgency.
One of the key things around GDPR is the right to erasure, sometimes known as the right to be forgotten. This is the right an individual data subject has to ask for their personal data to be deleted from your organisation’s records. It important firms understand the circumstances in which this right applies and to be confident of the legal basis on which they are holding any data they keep on file.
It’s important to think not just about what data they are collecting and processing now – but about all the data they’ve collected and retained over the years. Not having a robust and fit-for-purpose data retention policy is a recipe for GDPR compliance issues going forward.
Too many firms are sitting on a vast amount of personal data they’ve collected from the customers and are still holding either on databases or in paper form, tucked away in a back office or a warehouse somewhere. Unless they have a legitimate and current reason, as defined by GDPR, for holding that data they need to delete or anonymise it or risk being found in contravention of the new data regulations.
This seems to be one of the aspects of GDPR that firms are struggling most to get their heads around. Insurance firms – brokers in particular – have historically had something of a reputation for simply filing rather than jettisoning older customer data. This approach needs to change.
There are, of course, perfectly legitimate reasons, in certain cases, for retaining personal data over longer periods (and indeed even a legal obligation to do so in some instances). But personal data kept on file without a clear and legitimate reason for doing so could soon lead to compliance issues for insurance providers.