The implementation deadline (25 May, 2018) for the General Data Protection Regulation (GDPR) is finally upon us and what a journey it has been. Brokers should by now be well versed in the rules surrounding GDPR, which is a set of European Union (EU) regulations that will replace the existing Data Protection Act. By ‘well versed’ we mean compliant of course because GDPR became law in April 2016. The 25th May date is the date at which the Information Commissioner’s Office (ICO) will start enforcing the law.
Remember that even though Britain is exiting the EU, GDPR will still apply. After all, Britain is still part of the EU until next year (we assume) and the government confirmed long ago that it would be taking on GDPR.
Total compliance with the regulations won’t be the final step because customers are increasingly becoming aware of their rights under GDPR. They will want to ensure that their information is protected and no doubt they will want to ask questions and exercise their rights as they are perfectly entitled to. You, as the broker, or anybody else that harbors vital personal data such as general practitioners, gyms and dentist practices will have to adhere to the rules and any request that may come from consumers under GDPR.
Here are the likely questions or requests that your brokerage will receive and our advice on how this should all be handled within the GDPR rules:
They can ask for full disclosure: Customers can ask a broker about what information they own about them. It’s called a data subject access request. If such a request is made, the broker has to export all the information in a computer readable format all the data they have about that person. They are not allowed to charge for this service and they must provide the information within 30 days. Decent software, like SchemeServe, should be easily available and able to help you download this information at a click of a button. But before you adhere to the request, you have to also make sure that the right person has asked you for that information. Make sure you are using the correct validation process to ensure you have correctly identified the person who is authorized to make such a request.
They can request that the information is accurate: Any personal data and information (such as date of birth, address, etc.) that you hold about the customer needs to be accurate and up-to-date. Be clear about any changes that have been made if you have permission to share this data. Any changes in the data need to be recorded and you need to keep a trail of the amendments.
They can also ask the broker to delete the data: ‘The right to be forgotten’ or the right to erasure means that customers can request that you delete all the information you have about them. However, a request like this doesn’t necessarily mean that you have to do it. There may be certain conditions or legal requirements (such as employer liability cases) that compel you to keep all of the data or parts of it. You also don’t have to delete the data if there is an active policy with the client.
It’s important to have someone in the office that will be responsible for these deletion of data requests (a data controller). He or she should have the knowledge and the right to make decisions about whether the consumer has the right to request that the information to be deleted. If you have policies about how data is kept or conditions for the info to be deleted it’s ideal to have that published, ideally on your website. Remember that you also have the ‘right to restrict processing’. Again this can be used for something important. For example, you may have legal reasons for holding the information – perhaps you feel the information may be needed in future court cases. The ‘right to restrict processing’ simply means that you may hold onto my data but you may not use it.
If you only have basic information about your clients or even old information about them (such as date of birth and addresses) then you still have to ensure that you have permission to keep that data (if you haven’t done so already). A general way to address this would be to write to each member and offer an explanation about the data and why you have it. Ask them if it’s OK that you keep it, why you have it and what you will do with it. You should also advise them that they can ask for their own records and have the option to ask you to delete it and correct any mistakes.
They may ask not to be profiled: Profiling happens frequently, particularly within the insurance industry. It helps companies to reduce risk and costs and even meet regulatory objectives. However, under GDPR, consumers will have the right to request that they are not profiled. Profiling is defined as “any form of automated processing of personal data consisting of the use of personal data to evaluate personal aspects relating to a natural person”. This would include making decisions based on a persons work, economic situation, health, preferences, interests or even behavior among other things.
When it comes to the insurance industry they typically profile customers when it comes to motor insurance. For instance, insurers may deem that drivers under 21 are high risk. However, your customer may want to have their case relooked at or their premium adjusted because they feel they are good drivers and shouldn’t be lumped together with all the other under 21s. There is nothing wrong with consumers using it and requesting that brokers and insurers look at their cases individually. However, GDPR rules don’t allow subjects the right to avoid profiling altogether. It does, though, afford them the right of not being subject to any decisions based solely on the use of profiling.
They have the right to consent: Have you ensured that your policies are in full compliance with the new GDPR laws on granting clear consent for individuals to access their data? What about all the other things you may have on the go like subscriptions to newsletters? Have you obtained consent for this information to be sent to the customer? Do you have proof of this consent? Are your customers aware of the information you keep about them and why you keep it? If not, you need to do something about this. Remember, it’s not enough to simply inform your customer. If you’ve emailed or written to your customer and they have not responded this doesn’t mean that you have been granted consent.
Consumer rights have become much more visible and well known under GDPR. The GDPR rules aren’t new, however, brokers are likely to get a lot more of the above requests either because customer are more informed because a movement has been created by legal or consumer rights activists. If there are hundreds or even thousands of simultaneous requests to delete information, will you be prepared?
If you need to process those request within specific time frames, then the tools you use need to be efficient. With SchemeServe, brokers can export data at a click of a button. It’s not illegal to have a manual process in place but if you rely on such outdated systems it could take a lot of people working many hours if you have thousands of policies and deletion requests.
Now that GDPR will come into force this week, you need to have something in place to get that information quickly and easily. If it’s not easily accessible, then you will end up doing no or little business as you’ll be drowning in those requests.
Systems also need to be robust. When you dump data off for a single person and there is more than one person on the policy then you may not share that information. This is where companies and individuals working through manual systems or records on paper are likely to get it wrong.
If that second person is harmed, has their reputation negatively impacted, or is then disadvantaged because that information has been shared then you can open your business up to libel action. All the software systems out there should be ready and there shouldn’t be any work to be done to improve it – not at this late state.
If prices from your software provider are going up only now, it implies perhaps that they weren’t ready and had to do work on their offerings. This is where you need to consider who you are partnering with. Red flags should be raised if you suspect that a major piece of software wasn’t already protecting data.
The responsibility is in your hands. Organizations will be required to hire a data protection officer to oversee obligations and responsibilities. The good news is that third party or external officers are permitted, subject to approval and SchemeServe has a data protection officer that you can hire on a part time basis. Just give us a call.
Further reading: A source of information and a checklist is available from the Information Commissioner’s Office.