Brokers should outsource to avoid GDPR “financial and regulatory headache,” but they need to be wary of “snake oil” companies, warns SchemeServe chief operating officer.

Some brokers are at risk of fines by the Information Commissioner’s Office (ICO) if they do not have a data protection officer (DPO) in place by May 2018. One way to tackle this is outsourcing, but some companies do not appear to have brokers’ best interests at heart, cloud-based software provider SchemeServe has warned.

General Data Protection Regulation (GDPR) comes into force 25 May 2018 and all brokers, including SMEs, will be required to abide by the rules or risk hefty fines. In October, legal expenses insurer DAS UK warned that four in ten brokers were unaware of the changes they needed to make as a result of the new regulation.

According to the ICO, a company will require a DPO if it carries out “large-scale processing of special categories of data”, or any data that relates to criminal offences or convictions.

In addition, companies that carry out large-scale monitoring of individuals, such as online behaviour tracking, will need an officer in place.

Public authorities are also required to have a DPO.

What are the responsibilities of a DPO?

The DPO’s minimum tasks are defined in Article 39:

  • To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
  • To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
  • To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).


A DPO will not be required to be on-site or work at an organisation at all times, so it is possible for multiple brokers to share a DPO.

SchemeServe chief operating officer John Price thinks that for some brokers, having to pay for their own full-time DPO will be “another financial and regulatory headache”.

To avoid this, SchemeServe will be offering its customers the option to take on an in-house DPO with experience in the insurance sector one day a month.

Price explained that he thinks it will be better for brokers if DPOs understand their business, commenting: “GDPR applies to all organisations, but the practical implementation will be so much easier and efficient if the DPO speaks the same language.  How many other DPOs will be able to talk to brokers and understand how they do things?”

Price cautioned that while there are many reputable firms offering GDPR services and DPOs, there are others “ that appear to have just read a book on it and call themselves experts.“

He warned brokers: “Make sure yours can back up what they claim.”