GDPR is Here
GDPR is with us, from 25 May 2018, and also the UK Data Protection Act 2018. These new laws and the new data protection laws of the individual Member States within the EU/EEA bring a sea change in the regime for data protection throughout the EU/EEA and their reach extends further overseas too. The question of reach has been the subject of market presentations and guidance by the LMA. The most recent guide is that published with DAC Beachcroft (17 May 2018): LMA18-027-KK
The protection of personal data is becoming ever more important and complex as information technology develops. Exhaustive work has taken place at firm level on GDPR compliance and at market level to assist – and, as the ICO would expect, this starts at home. How GDPR will mesh with developing overseas data protection regimes will take longer to settle down. One thing we are all keen not to do is to overburden overseas coverholders and TPAs with requirements that potentially conflict, or are disproportionate when taken together, with their own local requirements.
Having said that, overseas agents need to be aware of the compliance requirements of Lloyd’s managing agents (and London market firms generally) and need to assist where necessary. The basic position is this (see section 4 of the Guide):
Where personal data is transferred out of the UK by a managing agentto a non-EEA coverholder/TPA (e.g. in relation to a claims adjustment or settlement), then GDPR and the UK Data Protection Act 2018 apply to this transfer out of the EU/EEA and an approved mechanism for the export of data should be used: for example the EU Model Contract Clauses (currently under review by the Commission) - see the LMA GDPR Guide for more details.
The updated model binding authority, consortium and TPA agreements and TOBAs, and GDPR endorsements, contain provisions that the parties assist and co-operate with each other (e.g. in relation to providing the stipulated information to data subjects for GDPR and local law compliance); and that they enter into further agreements as necessary (e.g. in relation to the export of personal data from the EU/EEA).
As a further step, the LMA is preparing a short ‘standard-form’ explanation for non-EEA coverholders and TPAs about GDPR, which may be used by managing agents to explain proposed binding authority/TPA agreement amendments, and would help in giving coverholders and TPAs a consistent message on how they could assist Lloyd’s managing agents with GDPR compliance. We are also reviewing the existing model US and Canadian privacy notices to see whether updated versions could be published to combine GDPR content.
A point to note is that the UK Data Protection Act 2018 contains the new ‘insurance purposes ground’, so that classes of special category personal data (e.g. health) and criminal convictions may be processed where this is necessary for an insurance purpose (within the terms of the Act) without consent from a data subject. Since Lloyd’s managing agents are data controllers based in the UK, they will be able to use this new processing ground in relation to such data, whether the data subject resides within or outside the UK/EU/EEA. Therefore, while it is obligatory to provide requisite information to data subjects, it would not be necessary to obtain explicit consent for the processing of certain special category personal data and criminal convictions data where the new ground applies.
The LMA is also discussing with Lloyd’s whether it may be appropriate for Lloyd’s to issue guidance on how the Lloyd’s Conduct Minimum Standards may be met in terms of managing agents minimising personal data received on a bordereau-by-bordereau basis in order to comply with the GDPR and UK Data Protection Act 2018 principle of data minimisation, while continuing to maintain ready access to the personal data held by coverholders/TPAs through contractual rights.
Click here to download Viewpoint.