Return to main news


Posted by H3 on 2018-05-18 13:06:20 BST

You can’t escape GDPR news, from articles to regular consent emails being received.  Many firms will be GDPR ready, but if you’re not, you still have time.  In large the GDPR is not a big change from existing data protection rules for brokers, so firms which already have robust procedures wont have a difficult task updating to GDPR.  With the deadline nearing ( 25th May), below is a summary of the main requirements. 


Personal Data

The GDPR expands on what is considered personal data and includes information such as an online identifier (IP address) this is to broaden requirement based on increased use of technology.

In order to comply with the GDPR regarding personal data you should:

1. Process data lawfully, fairly and in a transparent manner

2. Ensure information collected is only for specified and legitimate purposes and not further processed, except for archiving or statistical purposes, such as MI reporting

3. Information should be only collected which is relevant and limited to what is required for the purpose its being processed

4. Information should be accurate and kept upto date and if inaccurate the information should be erased or corrected without delay

5. Kept for no longer than is necessary for the purpose in which the data is being processed, however data can be kept longer for archiving purposes to ensure compliance with record keeping requirements.

6. Data should be processed in a manner that ensures security of the personal data and ensuring protection against accidental loss, damage and unlawful processing

For the majority of brokers the change in the definition will have minimal impact, you should assume if you hold information then it will fall within the scope of the GDPR.  Brokers should already be adhering to the above requirements.


Lawful Processing

This is what was referred to as “conditions for processing” under the DPA, you need to identify a lawful basis before you process personal data and document this.  A number of lawful basis exist, the ones more suited to brokers are contractual, legitimate interest and consent.  Under the GDPR having a customers consent gives them stronger rights. 

Consent should be specific, informed and freely given.  Some form of affirmative action must be obtained such as a positive opt-in.  Consent should not be inferred such as assuming as the customer hasn’t said anything you assume its ok, it shouldn’t be pre-ticked boxes (opt out).

Consent must not be hidden or included with other terms and conditions and you should ensure an easy process is in place to withdraw consent.   You are not required to refresh all existing DPA consents to prepare for the GDPR. But if you rely on individuals consent to process their data then they must meet the GDPR standards on being specific, clean, prominent and an opt in

For brokers this will mean ensuring a compliant opt in consent form is prepared or included within existing documents, this will need to be stand alone from any other T&C’s. 


Individual Rights

The individual has to be provided with fair processing information, typically through a privacy notice, which should cover be clear, easily accessible, written in plain language and free of charge.  The information which should be supplied includes these main areas:

- Data we collect and process

- Why we collect data, what the data is used for

- Lawful basis of processing

- Data sharing, who data is passed to

- How data is protected, security in place for transferring data

- How long data is retained, criteria used to determine the retention period

- The existence of each of data subject’s rights

- The right to lodge a complaint with a supervisory authority

For brokers the easiest option is to include the above within a privacy policy.  The privacy policy should then be issued to every customer.  A consent form can then be used to allow you to contact the customer in the future such as for marketing. 


Subject Access Requests

An individual has the right to obtain confirmation their data is being processes, and access to their personal data.  These rights are similar to existing subject access rights under the DPA, however unlike the DPA the GDPR removes the standard £10 subject access fee which was charged, the information must be provided free of charge.

Conditions are in place when a reasonable fee can be charged such as when a request is clearly unfounded or excessive, especially if this means it’s repetitive.  A fee can also be charged for further requests of the same information.  If a fee is charged it must be based on the administrative cost of providing the information.

The current time requirements under the DPA have also been lowered and must be provided without delay and within one month of receipt, again this can be extended by an additional two months if the request is complex or numerous but the individual must be informed of this within one month with an explanation of why more time is needed.


Right to rectification

Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.  If you have made changes and the same personal data has been disclosed to a third party then you must inform them where possible and inform individuals about those third parties.  When a request has been made by an individual this should be done within a month, as above a two month extension if the changes are complex.


Right to erasure

This is also known as the right to be forgotten. The individual can request deletion or removal of personal data when there is no compelling reason for its continued processing.  This is within specific circumstances, when the data is no longer necessary in relation to the purpose for which it was collected.

Requests are not automatically granted for intermediaries the data subject wouldn’t be able to request this when regulatory and legal reasons mean you have to retain data.


Other Requirements

You should create a data map, this can be done in a number of ways but the idea is you have documented the flow of the information you collect, how its stored, who has access to it, how longs its retained, who its shared with and security in place to protect it.  Having a data map can ensure you know exactly how data is used and processed and can ensure appropriate security is in place.  Should the worst happen and you have a data breach it also means you can very quickly establish the extent of the breach.

All staff should be aware of the GDPR with relevant training so they appreciate the importance of protecting customer data.  Details within a compliance manual would help for staff to access the information when needed. 

As well as the privacy policy and consent forms intermediaries would need staff privacy policies if they employ staff.  Additional care should be taken when handling sensitive data such as health information. 

Security in place, data is often stored in a number of formats, sometimes duplicated with back ups on computer, hard drives and cloud storage.  You need to ensure robust procedures are in place to protect this data, such as encryption, password protection, and locked storage for paper files. 

Measures should be put in place proportionate to your business size and type.  Typically these include your data protection policy, record keeping, staff training and any internal audits or checks to ensure sufficient procedures are in place to protect customer data and evidence how data is used.  This could also mean appointing a data protection officer, detailing the monitoring or routine checks carried out to ensure procedures are current and effective.


Notification of a personal data breach to the supervisory authority

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. The notification should describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned, describe the likely consequences of the personal data breach, describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Any data protection breach should be documented and retained for future records.

Where personal data is processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.


This is a summary of the key areas for brokers in getting GDPR ready.  A common sense approach should be taken and if you process and handle a customers data in a fair and clear way so they are fully informed, and protect it as you would want your own personal data protected, then you shouldn’t have any issues.  With a great deal of scare tactics being used by both the press and businesses selling GDPR services, it’s easy to lose track of what’s relevant and needed to ensure compliance.

H3 members will receive updated documents to ensure compliance with the new requirements.  If not a member, please contact us for a no-obligation quote for support; we offer a friendly, personal and tailored service.