Insurance sector must “make friends with consent and each other” in the run up to GDPR and UK Data Protection Bill changes, says ICO’s Emma Bate at the ABI’s 2017 Data Conference

The insurance industry should not expect special treatment when it comes to the implementation of the EU’s General Data Protection Regulation (GDPR) next year, an Information Commissioner’s Office (ICO) official has warned.

Speaking at the ABI’s 2017 Data Conference last week, ICO general legal counsel Emma Bate, formerly a partner at DAC Beachcroft, also urged the industry to “make friends with consent and each other”.

The view from the regulator is that “you are not special,” warned Bate. “We [the industry] have used and abused consent in this country for some time,” she continued. “Now is the time to press the reset button.”

Keep calm and carry on

Insurers were told that they need to be ready for 25 May, when the new GDPR regulation comes into force. Bate invoked the stoic wartime British mantra of “keep calm and carry on” to encourage her audience to continue working towards GDPR compliance.

Bate also promised further draft guidance on consent early next year. She suggested it was best to focus on being GDPR ready rather than panicking about the new UK Data Protection Bill, which will replace the Data Protection Act of 1998.

The UK Data Protection Bill has frustrated the industry. Clyde & Co lawyer Isabel Ost has complained that it will “severely impact insurers’ current business models.” There was some good news for insurers on the Data Protection Bill, as Bate suggested that there was still time for lobbying and room for amendments.

Work together to make GDPR work for you

Once the GDPR changes kick in, companies and organisations must have a good reason for holding onto data, rather than keeping everything that they can.

Brokers, insurers, reinsurers and MGAs must work together across the chain to ensure that data can be shared. Where a broker is closest to a customer, they must get clear consent so that personal data such as health histories and criminal records information can be passed on.

The EU’s GDPR changes were announced two years ago, but recent research from legal expenses insurer DAS has shown that while insurers may be working to address the new regulations, four in ten UK brokers are still unaware of the changes.

Consider the customer journey

Insurance businesses must also think hard about the customer journey, at which point they will try to collect a consumer’s data and how they will justify this.

For those who are struggling to form new privacy policies and consent notices, Bate confirmed that the London Market Association (LMA) is planning to publish guidelines soon.

Is it time for a European Insurance Industry Code of Conduct?

Bate hinted that one way for insurers to continue to share data might be to pursue a European Insurance Industry Code of Conduct.

Binding Corporate Rules (BCRs) are another option for those who wish to share data with specific groups. These enable intra-organisational data transfers while operating under EU guidelines on data protection.

The ICO is now considering ways that UK businesses will be able to use and share data internationally if no adequacy plus solution can be reached with the EU, Bate confirmed.

We’ll be exploring the latest cyber developments at our annual Cyber Insight conference on 7 November.

There are still a few delegate places available – find out more and book here

Cyber insight mpu