Pro.

Our thinking

Dominic Ralfs

Senior Consultant

The New Standard in Data Protection Legislation

When it comes to regulation, practitioners in the UK insurance industry might be forgiven for recalling the well-known urban myth about London buses; you wait an age for one, then three all come along at once.

It seems we’re having a similar amount of legislation traffic piling up here in the Square Mile.

First we had Solvency II Pillar 3, now in force, but drawing its roots from the banking crisis of 2008. Ironically though it only applies to insurance and, in a nutshell, requires the industry to obtain more data from Coverholders and Delegated Authority specialists.

Then there is the International Financial Reporting Standard, better known to its friends as IFRS 17 which, as the acronym implies, will be in force later this year. Delivering the latest financial regulations, more directives about accompanying data and progress is ongoing with specific reference to insurance contracts.

And thirdly, there is the General Data Protection Regulation (GDPR) which comes into force on 25th May, 2018, replacing the UK Data Protection Act (DPA). This European legislation substantially broadens the obligations for organisations that hold and process data relating to EU citizens. GDPR will standardise and significantly strengthen the restrictions on the use of personal data across all EU member states.

Hearts may temporarily flutter with the hope that, as Brexit is now underway, the United Kingdom will be absolved from this EU legislation; sadly not, the government has already confirmed that the UK’s decision to leave the EU will not affect any implementation of GDPR.

Admittedly, these 3 buses didn’t all come along at once (GDPR was four years in the making) and here the analogy must end, for none of these pieces of legislation will drive the industry to any particularly exciting destination. GDPR represents radical changes to European data protection legislation, it contains stringent obligations, many of which will take time to prepare for, and will have an immediate impact from the end of May next year.

GDPR will establish a tiered scale of infringements up to a maximum of 4% of the annual worldwide turnover of the company in breach. Understandably, these potential fines are certainly attracting the attention of every board level executive.

The obligations of GDPR on brokers, underwriters and MGAs are considerable and the scale of the fines for misuse of data is designed to incentivise early preventative action.

All market players need, at the very least, to understand the implications for their own organisations.

As I see it, mid-size London market organisations are grappling with GDPR at the moment, and there’s a real need for a standardised model that could help all syndicates and brokers - “GDPR in a box” if you will.

So, that’s the bad news over with. In my next blog, I will look at what effect GDPR will have on London and other insurance markets, outline what industry specific challenges within the data supply chain will emerge, and share with you some real life statistics of organisations working on this topic right now.