As we have previously reported1 UK data protection laws will be strengthened in favour of consumers under the new Data Protection Bill, which implements the EU General Data Protection Regulation (GDPR).
The regulations shift the burden onto the data controller to demonstrate why its processing of data should be allowed to continue. This has ramifications for various companies including those operating in the insurance industry in relation to the capture, use, storage and security of personal information. In particular, insurers may face considerable difficulties in respect of historical data “warehouses” used in sophisticated modelling tools.
The head of policy at Privitar, a privacy engineering firm commented “it’s much harder for organisations to ignore a ‘right to be forgotten’ request or an objection to processing on the basis of legitimate interest”.
Under the GDPR, it is a mandatory requirement for organisations who process personal data and monitor individuals on a large scale to have an independent, in-house Data Protection Officer (DPO) who cannot be instructed on how to carry out their tasks and must report to the top levels of management. The DPO is afforded new “protected status” whereby he/she cannot be dismissed or penalised for performing his/her responsibilities.
In addition, the UK’s Information Commissioner’s Office may now impose increased fines of up to £17 million or 4% of global turnover for serious breaches of data protection.
The new Data Protection Bill will come into force in May 2018.
For further detail, please see the HFW Briefing “All Change – Are you ready for the EU General Data Protection Regulation?”2