25th of May, 2018. That’s the deadline businesses have been given to comply to the new General Data Protection Regulations (GDPR). This applies to all organisations that store personal data, and will therefore naturally apply to all insurance brokers.
The advice across the industry is to be proactive rather than reactive, and start preparations now if you haven’t already got the ball rolling. Our Compliance team provide Broker Network Members with guidance and updates on the requirements, but for anyone without access to these services, the Information Commissioner’s Office (ICO) has compiled a great list of the 12 steps you should be taking.
The 12 Steps to prepare for the GDPR
Make sure decision makers and key people across the organisation are aware of the law changes and understand the impact they will have. This could have significant resource implications, especially for larger organisations.
2. Information you hold
Document the information you have on record: you need to know where it came from and who it is shared with.
3. Communicating privacy information
Review your current privacy notices to highlight any areas that need updating before the new regulations come into force.
4. Individual’s rights
Ensure your procedures cover all the rights individuals have, for example how personal data is deleted and how it can be provided electronically in an accessible format.
5. Subject access requests
Update your procedures to plan how you will handle any requests including new timescales and additional information. Consider the logistical implications this might have too.
6. Lawful basis for processing personal data
Identify the lawful basis for your processing activity in the GDPR, document it, and update your privacy notice to explain it.
Review how you seek, record, and manage consent and whether you need to make any changes. Your existing consents might not meet the new standards, so you will also need to investigate and potentially refresh existing records.
Think whether you need to put age verification systems into place and whether parental / guardian consent is required.
9. Data breaches
Put the right procedures in place to detect, report, and investigate data breaches.
10. Data protection by Design and Data Protection Impact Assessments
Familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
11. Data Protection Officers
Designate someone to take responsibility for data protection compliance. Also consider whether you are required to formally designate a Data Protection Officer.
If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.
In full depth
Hopefully, you will find that you are already adhering to a number of these areas as part of the current DPA requirements. Some aspects of the GDPR will expect you to go further into taking accountability for your personal data though, so it is important to ensure your systems and controls are sufficient to accommodate the changes.
We recommend reading the ICO’s full guidance, which adds further details and resources to the 12 steps above: Preparing for the General Data Protection Regulation (GDPR)
To learn more about Broker Network’s Risk & Compliance services and how we help independent insurance brokers comply with industry regulations, please get in touch