In practice, probably not much.
Given the publicity around the extent of the General Data Protection Regulations (GDPR), due to come into force on 25th May 2018, perhaps we should explain this view.
Many of the obligations under GDPR exist under the Data Protection Act 1998. Financial institutions who do not meet the standards can be fined by the Financial Conduct Authority (FCA), as well as the Information Commissioner’s Office (ICO). Systems security and access control are already part of everyday working. Protection insurers in particular are aware of the sensitivity of medical information they may hold on people they are covering.
One area that is not affected by the new regulations, but is perhaps currently misunderstood, is that insurers are not Data Processors, but Data Controllers. They specify the information required to provide the insurance and decide how it is used for pricing and administration. Therefore if anything went wrong, they would be responsible. It is not necessary, or appropriate, for an employer to require a data processing agreement.
The bill for the legislation to implement the GDPR in the UK was published on 13 September 2017. It is a lengthy, 218-page document, and there is one clause that deals specifically with Group Insurance products. Effectively, this will allow an employer to transfer data on employees to the insurer where necessary to provide insurance cover for groups. This can be done without obtaining consent from each individual.
When doing so it is important to consider the third data protection principle – “data should be adequate, relevant and not excessive”. Canada Life does not need an employee’s home address, telephone number or NI number to quote or prepare accounts, so please don’t send them.
More details will emerge as the bill goes through Parliament and the ICO publishes further guidance. We will provide updates and material as the timeline for the GDPR launch approaches and further guidance is made available.
You can download a PDF of this market update below.