GDPR guide for insurance brokers from Stride Group

Insurance brokers everywhere are embracing digital innovations as they seek to make their services more streamlined and efficient. But technology is not without its pitfalls; as brokers harness these online tools, they face a sinister and growing threat in the form of a data breach.

According to research from law firm RPC, cited by Insurance Age, UK financial services firms have witnessed a 23% increase in data breaches reported to the Information Commissioner’s Office (ICO), rising from 114 in 2015/16 to 140 in 2016/17. Meanwhile, a Freedom of Information request unveiled a 317% hike in breaches in the sector during the first half of 2016.

The figures shared by RPC only represent reported cases and in reality, the number of breaches is likely to be much greater. According to the law firm, hackers are increasingly honing-in on smaller financial services firms which have large quantities of sensitive data, but often lack robust security systems to safeguard that data.

Needless to say, just one data breach could have serious repercussions on your brokerage firm. With the number of cases increasing, it has become more important than ever to take steps to protect your clients’ data. However, even if you were not minded to do so, strict new EU regulations are coming in to force next year (regardless of Brexit) which compel all UK businesses to focus on how they manage and secure customer data: GDPR.

Major changes from the GDPR – be aware of your new obligations 

The way data breaches are reported and handled are going to be changing from 25th May 2018, when the General Data Protection Regulation (GDPR) comes into effect. For example, the new legislation will require all firms to report breaches to the ICO – responsible for policing the GDPR – within 72 hours of having awareness of them taking place.

But the GDPR encompasses much more than reporting data breaches and is set to overhaul the way firms in all industries handle client information.

According to the third instalment of the GDPR and you report, from the Direct Marketing Association (DMA), the number of businesses who felt they were on course to ensuring GDPR compliance slipped from 68% in February to 54% in May 2017. Moreover, almost of quarter (24%) of companies are yet to devise a GDPR plan.

Ten months may seem like a long time to prepare for the changes, but with insurance being one of the most data-accruing sectors, the time to act is now. Hopefully, our guide will help you to get to grips with the impending changes so you get your business GDPR-ready.

Why is GDPR being introduced?

The GDPR is the result of years of negotiations aimed at enhancing out-of-date laws surrounding data protection. It will impact all EU member countries and will eventually replace the Data Protection Act (1998) in the UK.

The goal of the GDPR is to strengthen and unify data protection for individuals within the EU. As the ICO states in its GDPR guidance, the UK’s decision to leave the EU will not affect the commencement of the new legislation.

Key areas of the new legislation for brokers include…

Consent

Consumer consent is getting a shake up under the new rules. Currently, you only have to get passive or ‘implied’ consent from consumers to market to them; for instance, through a pre-ticked subscription box. But under the new rules, consent must be unambiguous, meaning the consumer must actively opt-in, such as by ticking a box, followed by a double opt-in to confirm their decision.

Privacy Notices

From May next year, you’ll be required to include much more information in the Privacy Notices (a written privacy policy) you send insurance clients or prospects. The information will depend on whether data is collected from the clients or prospect themselves (known as the data subject) or from a third party, but also notices will have to include:

  1. The full company name and contact details of any business processing the subject’s data
  2. The purpose of processing the data
  3. The legitimate interests of the data controller or third party data processor
  4. Notification of each of data subject’s rights (see below) including the right to withdraw consent at any time.

The right to be forgotten

The ‘right to be forgotten’ makes up part of the GDPR and will give consumers the right to erasure in certain circumstances. For instance, they can request for their personal details to be removed and to prevent processions when:

  • Their personal data is no longer necessary for the purpose in which it was originally collected
  • The individual withdraws consent
  • The data was unlawfully processed
  • The data has to be erased so it can comply with a legal obligation

However, there are some situations where a request for erasure can be denied. For instance, when the personal data is processed for public health purposes in the public interest; for archiving in the public interest; or to exercise the right of freedom of expression and information.

Privacy Impact Assessments (PIAs)

Where use of personal data is deemed ‘high risk’ to a consumer’s rights and freedoms, the GDPR states that you must conduct a PIA for certain activities, such as:

  • Large-scale processing of sensitive personal information
  • If you use new technologies
  • Systematic and extensive activities, including profiling and for decisions that have a legal impact on individuals
  • Large-scale systematic monitoring of information which is publicly accessible

Penalties for non-compliance

There are harsh penalties for non-compliance, which should further push brokers to start making the necessary changes as soon as possible. For instance, serious infringements can lead to a fine of up to 4% of a firm’s global revenue, or €20m; while businesses not fulfilling certain obligations set out in the GDPR could risk a fine of 2% of their global turnover, or €10m.

Steps to take now

As a broker, there are a number of things you can be doing now to ensure that you’re well-prepared for the introduction of the GPR next year. These include:

  1. Making your staff, insurer partners and IT suppliers aware of the new law
  2. Documenting all data you hold, where it originates and who it’s shared with
  3. Revising Privacy Notices and devising a plan for changing it
  4. Assessing how you seek, obtain and record consent
  5. Evaluating procedures to identify, report and investigate a data breach

Ultimately, GDPR coming into force will require all businesses to gain greater awareness of their data – where it’s stored, who is accessing it and who should be accessing it. By making changes today, you’ll put yourself in good stead for the 2018 deadline.

If you feel like you could benefit from some support, why not partner with Stride? We have over 40 years of industry experience and boast a full, in-house support team that can assist with everything from underwriting and quotes to admin and claims. To find out more, call 023 9224 8790 or email brokers@stride-group.co.uk.

Sources:

http://www.insuranceage.co.uk/broker/3092191/data-breaches-in-insurance-doubled-in-201617
https://dma.org.uk/uploads/misc/5925ac1895867-gdpr-and-you—chapter-three-(1)_5925ac18957b2.pdf
https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/