Here we’ll examine the impact of the GDPR (General Data Protection Regulation) on UK business practices and specifically your rights as a consumer of insurance and insurance-related products.
The origin of legislation covering how a company may or may not use data relating to you as an individual goes back a long way. The Data Protection Act (DPA) - now in it’s third incarnation - was introduced to control where information about you was stored and how it was used. The DPA 2018 supplements the EU General Data Protection Regulation (GDPR), which came into effect on 25 May 2018. The GDPR regulates the collection, storage, and use of personal data significantly more strictly.
The EU-wide GDPR has three major objectives:
- to improve consumer rights and protection in this area;
- to update legislation, given how much technology has changed since the 1990s;
- the harmonisation of law across the EU and western Europe as a whole.
At the time of writing, it is assumed that this legislation will be enshrined largely “as is” within UK law once Brexit has taken place.
What GDPR does
In summary, this legislation provides consumers with the right to:
- be informed. This means an insurance company must tell you who is processing your data and why;
- access your data. Your insurer, upon request, must provide a copy of information relating to you that they hold and are processing. They must also tell you why they are doing so and whether or not your data is being sent outside of the EU;
- demand the correction of data held about you which is incorrect;
- be forgotten in terms of data held about you – when the insurance company no longer has an active reason to hold and process it. NB. Please see the “points to note” below.
- transfer your data – sometimes called the “right to portability”. This means that, for example, you could ask for a copy of your data to be sent, in standard data interchange formats, to another party if you wished;
- object to the processing of your data. This is absolute in the context of direct marketing purposes but may be limited in other situations. NB. Please see the “points to note” below;
- obtain human intervention. This might apply in situations where your insurer has made a decision based on automated processes (sometimes called “algorithms”) that you are unhappy with. You have the right to ask for such to be reviewed and checked by a human being.
Points to note
GDPR, like all legislation, sometimes contains clauses that may need to be evaluated in terms of their conferred rights and entitlements versus any potentially conflicting obligations as contained in other legislation.
For example, your right to ask an insurance company to forget you and your data must be balanced with the requirements of other regulatory legislation which requires companies to maintain auditable copies of their transactions with clients for a specified minimum time period.
Another illustration might be where you’ve asked an insurance company to stop processing your data but where they’re not permitted to do so immediately by legal and regulatory requirements demanding that they meet certain minimum criteria in terminating their dealings with you over time.
GDPR and UKinsuranceNET
GDPR is a powerful piece of legislation that will improve and clarify consumer rights in many important areas. At UKinsuranceNET, the protection of our customers’ data has always been of paramount importance to us but GDPR makes the security and privacy aspects even more important.