The LMA and DXC Technology have produced three market protocols in relation to data subject (e.g. an individual policyholder) rights. The first protocol concerns the data subject’s right to make a data subject access request (also known as a DSAR). If the managing agent (data controller) cannot satisfy the DSAR from the data that it holds, because it is held by DXC (as the data processor), the managing agent will need to make a further request to the processor to help collate the details required.
A DSAR gives data subjects the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why firms are using their data, and to check that firms are doing so lawfully. Under the General Data Protection Regulation (GDPR), managing agents have one month to respond to a DSAR. The DSAR market protocol explains the steps that managing agents need to take when they require DXC’s assistance.
The GDPR also introduced a right for data subjects to have their personal data erased. The right to erasure is also known as ‘the right to be forgotten’. Data subjects can make a request for erasure verbally or in writing. Again, managing agents have one month to respond to a request.
The data subject also has the right to ensure that the data that firms hold about them is correct. In most cases the managing agent as the data controller should be able to rectify any erroneous data held but they will also need to ensure that DXC rectifies the erroneous data where necessary.
The three protocols on DSARs and the rights of erasure and rectification have been reviewed by the LMA cross-market GDPR working group. This group comprises representatives from the LMA, IUA, BIBA, LIIBA and market practitioners. A joint LMA/DXC market communication is being prepared and will be published on the LMA website in due course.
Published 13 September 2019