New Data Protection Regulation: The Need for Action
In May 2018, the European General Data Protection Regulation (GDPR) will come into force. This wide-ranging piece of legislation will affect companies from all industries and brings with it strict reporting requirements in case of data loss and significantly increased fines of up to 4% of turnover for compliance failure.
Although the UK is set to leave the EU, the regulation will come into force before that process is complete – both the UK government and the FCA have made it clear that UK firms must continue to implement EU law in the interim. In any event, for business to continue within the EU, we would expect that UK companies would need to have controls in place that meet their business partners’ expectations.
The implications for the insurance industry apply mainly to consumer policies and the personal data insurers hold. However, most group policies with individual beneficiaries and any handling of third party personal data would also be in scope. This means all managing agents will need to be up to speed, regardless of their business lines.
There are several issues that will affect the insurance industry, including data portability, erasure and international transfers. However, by far the greatest challenge for the Lloyd’s and London market will be how privacy notices, detailing how consumer data will be used, are provided and how consent to process data is obtained.
At present, personal data can be passed between producing brokers, coverholders, placing brokers and a number of insurers, as well as to and from other entities, such as Xchanging, Lloyd’s and Third Party Administrators. It is important to note that personal data can be provided by the data subjects themselves in addition to being provided by their family members or employers on other policies.
The challenge of providing privacy notices from multiple market participants and obtaining consent is a challenge best tackled by the market as a whole. The LMA is working with the other market associations to develop a standard form privacy notice and consent framework.
Once that framework is at consultation stage, we will then look to update the market model TOBA (Terms of Business Agreement) and other market agreements accordingly. We will also perform a review of our model wordings. The LMA is delighted to have DAC Beachcroft, Clyde & Co and Norton Rose Fulbright assisting us with this work and we plan to hold a series of market presentations through this year and next.
However, none of that market-level work should delay managing agents’ own preparation for the GDPR. Next May will come quickly and managing agents need to take action now.