Bringing you up to speed on the General Data Protection Regulation

Posted on: 09 August 2016

Industry News icon

In 2018, the European Commission will enforce The General Data Protection Regulation (GDPR), affecting the way personal data is stored and managed, by insurers and brokers alike.

What is the GDPR?

The GDPR is a regulation, introduced by the European Commission, designed to strengthen and regulate data protection for people within the European Union. For the UK, the GDPR is set to replace the Data Protection Act 1998. It will come into force 25 May 2018 – before any Brexit. Post Brexit, we’ll no longer be obliged to comply but it seems very likely that any replacement data protection laws will follow similar lines to ensure personal data can flow freely.

A brief background 

Until recently, each state has had its own rules regarding data protection. The changes proposed by the European Commission will unify these rules across the EU and ensure that all countries act according to a collective set of data regulations.

It will significantly impact the requirements of insurers and brokers, who handle individual’s personal data, as they will have to change the way they store, handle and process their customer’s information, or pay a costly consequence for non-compliance.

All companies have until May 2018 to make sure they comply with the new regulation.


What are the changes?

The main changes being brought into force under the GDPR include rules over data breaches, consent and profiling.

Data breaches 

Any breaches of personal data will now have to be reported to regulators within 72 hours and in some cases, to the individuals themselves. Serious breaches of data protection laws could result in fines of up to €20m, or 4% of the company’s worldwide annual turnover – whichever is higher.


Regulation over consent requirements will also be tougher. All companies will have to inform their customers of the nature of each type of data usage and be able to prove that they’ve received consent from the individual. Customers will also be entitled to object to their data being used for insurance activities such as risk and pricing modelling or for direct marketing. They’ll also have the right to ask insurers to delete their personal data where it isn’t required for its original use or request that their personal data is transferred from one insurer to another, if they switch providers.


Ordinarily, insurers won’t be able to make decisions about customers through profiling, without a legal right to do so.


Find out more

As part of our ongoing BIBA Broker guide series in association with BIBA and DAC Beachcroft, we've recently published the BIBA Broker Guide to the General Data Protection Regulation. Providing a high level overview of the changes, the guide also gives practical steps and expert insight into the insurance considerations.