“I have read and heard something about this GDPR, it sounds as though it is bad news and we may not be able to do business without major changes. Is that true?”
Over the recent months there has been much written and said about the GDPR, some of the information has been misunderstood.
The reason for the GDPR is there have been many changes in technology and court rulings which require the law to be updated. The changes which have been made are largely to reflect these changes.
Some things to consider;
This applies to all data that you hold including paper records, data held electronically or on a “Cloud” format.
Do you hold any personal data? Personal Data is defined as, information which can identify a natural living person, or could be identified from other information held by that data user. Remember, this will not only apply to your clients, it will also apply if you hold staff records or business contacts.
Are you registered with the Information Commissioners Office? (ICO) The law requires that any organisation which processes personal data in whatever form is registered with the ICO.
Do you comply with the data protection principals? That is, do you process or hold the data compliant with the following. The data is processed lawfully, only collected for a specified process and not further processed unnecessarily, is limited to only the information required, is accurate and kept up to date and corrected or erased if necessary, is kept no longer than necessary and is done in a manner that prevents loss, unauthorised access, destruction or damage.
Processing of data is considered lawful under the following circumstances.
If the data is necessary for or to enter a contract. This can be anything from entering a rental agreement with a potential tenant to paying for a meal using a credit card.
To comply with a legal obligation. For instance verifying the identity of a tenant to comply with immigration regulations.
To protect the interests of the data subject. For instance recording the details of a potential claimant under public liability insurance.
For the legitimate interests of a data processer or a third party. For instance a managing agent processing rent payments for a landlord.
If none of the above criteria are met, then you may process data with the explicit consent of the data subject, provided the following conditions are met. That the data subject gives consent using some clear and affirmative action and the data controller can demonstrate this. Having pre-filled check boxes or requiring the data subject to object would not be considered as giving consent. Also it must be as easy to withdraw consent as to give it.
Sensitive data has now been renamed as “Special categories of personal data” this is data which relates to a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, health, sex life or sexual orientation.
Processing or holding of this data is expressly forbidden unless one of the following conditions are met.
For the processing or establishment of legal claims, for instance any injuries which may lead to a claim against an insured.
The processing is necessary for employment. For example sickness records of employees.
Where the person has manifestly made public the information. For instance carrying out enhanced due diligence on an elected politician to comply with the money laundering regulations.
To protect the vital interests of the data subject or another individual where the data subject is incapable of giving consent. For instance your records hold health information about an employee who has a medical emergency and you need to inform the emergency services about a health condition so that they can treat them.
With the explicit consent of the person where the consent is not prohibited by law. A person who had a mental impairment and is a ward of court would not be capable of legally giving consent.
The GDPR requires the following information to be provided to data subjects.
- The identity and contact details of the data controller and if applicable the data protection officer
- The purposes and the legal basis of processing the data, for example this is to process your application for tenancy and make payments to your landlord.
- Who or what types of organisations that will receive the data.
- The right to access, correct or erase the data or withdraw consent (if given) and the right to data portability.
- How long or the criteria used to determine the data will be stored for.
- The right to complain to regulators.
If the personal data is required for entering a contract, the consequences of failure to provide that information. For instance refusal to provide personal information on an application would lead to a refusal to issue cover.
The same notification requirements to the data subject are also required if the personal information has been received from a third party, for instance an insurance company receiving personal information from a potential claimant.
If the data is received from a third party, the data subject must also be told the categories of personal data, the source and whether this came from publically accessible sources.
Right to be forgotten. This is one area which appears to have caused the most confusion, as it is assumed that this gives an automatic right for all information to be deleted, it does not. There is a right to have data erased if the data is no longer required, consent has been withdrawn and there are no other grounds for processing the data, if the data was unlawfully processed or there is a legal requirement to erase the data. However erasure shall not apply if the required for the exercise or defence of a claim. So, a motorist could not have his data erased once his policy expires as the insurance company may have a claim lodged in the future.
What you should do now
Have a data audit, look at what personal data you hold, how do you secure it and make sure it is accurate and up to date. How do you inform your staff and clients about data protection? Visit the Information Commissioner’s website. There is lots of information and guidance on the GDPR free for your use.
Paul Houston, Compliance Officer at St Giles Insurance