GDPR in the Insurance Sector - what has changed?

Together we are Forbes


01 June, 2018

Dan Crayford

Having been looming on the horizon since 2016, GDPR and the Data Protection Act 2018 are now in full force and effect. Insurers, claims handlers, loss adjustors, and solicitors all handle vast quantities and categories of personal data relating to claimants, defendants, witnesses, experts, their own employees (even judges) and so on, and therefore need to be aware of what has changed.

Will the new rules impact how we defend claims or detect fraudulent claims? Yes… and no.

The primary difference between the 1998 Act and the 2018 Act - the change that has got organisations frantically amending their terms and conditions, publishing compliance plans and sending out privacy notices, supplier questionnaires, information sharing agreements and the rest to all and sundry - is the introduction of the accountability principle.

Whilst the data principles set out in the first paragraph of article 5 GDPR are by and large the same as the old data principles that we know and love, the second paragraph of article 5 means that data controllers are now also responsible for and - more importantly - must demonstrate their compliance with the principles. It is no longer sufficient for organisations to have a generic data protection policy in their employee handbook and a template privacy policy on their website. Those handling personal data will need to have a solid paper trail of compliance documents, setting out precisely how they have considered the data privacy impact of all of their business processes, and the measures they have taken to minimise that impact. Further, data processors now have obligations and duties in their own right under GDPR.

What's more, insurance companies are specifically listed in the examples given by the Article 29 Working Party's guidance on data protection officers as the sorts of organisation that will be required to designate a DPO. Many insurers, claims handlers, loss adjusters and so on will also be large enough to be required to maintain a detailed record of processing, detailing all of the processing activities that are carried out within (and without) the organisation, the legal bases of that processing, and other matters.

As a further kick in the teeth, the data protection fee that all data controllers are required to pay to the Information Commissioner's Officer every year is going up. This is despite the fact the central register of data controllers (now known as the central register of fee payers!) has disappeared - owing to the fact that it is now on organisations themselves directly to make data subject aware of the processing that is going on. Much of the increased revenue being raised by the ICO through increased fees (and, unsurprisingly, a record number of organisations trying to use their payment systems in recent weeks), is being used to fund the greatly increased investigatory and enforcement resources that the ICO has needed to develop.

So that, in a nutshell, sets out a lot of what has changed.

Turning now to what has stayed the same, the exemptions and provisions on the processing of personal data for insurance purposes of in the defence of legal claims are substantively the same under the 2018 Act as they were under the 1998 Act. One of the great myths about data protection law is that organisations cannot do anything with people's information without their consent. In a claims context, there is very little that will actually require the consent of the data subject to be the legal basis for processing their personal data.

In terms of surveillance (and social media trawls), the provision under the 2018 act on fraud is exactly the same wording as it is under the 1998 act. Also relevant in terms of social media trawls is the fact that the processing of personal data which are manifestly made public by the data subject (what's more public than twitter?) does not need consent. The exemptions for the prevention or detection of crime, legal privilege, crime and taxation etc can be found in schedule 2 of the 2018 Act. Of particular interest to those disclosing documents that amount to personal data is the old exemption relating to information required to be disclosed by law or in connection with legal proceedings. This is now found at paragraph 5 of schedule 2 DPA 2018. The seminal decision in Dunn v Durham is still pertinent in the shiny new world of GDPR. For abuse claims, there is an entire schedule (3) relating to exemptions from the GDPR for health, social work, education and child abuse data.

The problem will continue to be, as it has always been, obtaining personal data from employers, GPs etc of claimants who are likely in most cases to need to rely on the consent of the data subject to disclose it to us (except of course where the employer is the insured, in which case they can rely on the insurance purposes exemption in the 2018 Act).

Forbes Solicitors regularly advise a range of businesses on data protection law including compliance with GDPR, the DPA 2018, PECR and preparing for ePrivacy Regulation (if ever the government can agree on them), including providing training.  We offer a range of fixed fee Data Protection support services, including a dedicated DPO Support Package, and would be happy to discuss how we can assist you with your preparations with the aim of helping to minimise the occurrence of breaches, and in the event of a breach help to reduce the penalty given. If you have any questions, please contact me on 01254 222451 or at

Learn more about our Insurance department here

Happy GDPR Day! General Data Protection Regulation comes into…

Forbes Announces Major Conference on Safeguarding in Social…

Contact Us

Get in touch to see how our experts could help you.

Call0800 689 3206

CallRequest a call back

EmailSend us an email

Contacting Us

Monday to Friday:
09:00 to 17:00

Saturday and Sunday: