Data Protection Act 2018
How does your Insurance brokerage measure up? DPA Paper 1 – June 2018
The Data Protection Act 2018 (DPA) came into force in May 2018 with a great fanfare, largely predicated upon ‘opt-ins’ for marketing consent.
Much focus has been given to the deadline of 25thMay 2018. But this paper looks at two of the key issues that an insurance broker may wish to reflect upon.
Issue 1: The work you have done thus far, is it sufficient and does it address the fundamentals of the DPA? Many organisations have updated their privacy policies in some shape or form. But are they correct and can they evidence that they are complying with the DPA? Do you know the following?
- Who is collecting the data?
- What data is being processed?
- What legal basis do we have for collection?
- Sharing of data?
- How will it be used?
- Storage periods?
- Rights of the data subject?
- How is a complaint raised?
The above may seem simplistic, but we have examined a variety of broker privacy policies and these issues are not adequately addressed.
Issue 2: Many organisations have not addressed DPA Article 28 (3) that requires clear written data protection agreements between the data processor and the data controller. These are mandatory under the legislation. But scores of brokers have not updated TOBA’s to reflect these specific requirements.
Without these agreements in place the insurance broker cannot enforce the data protection requirements with its panel and appointed representatives (if they have any). These agreements we suggest need urgent review.
How we can help you?
Thamer James is a value added GRC (Governance, Risk and Compliance) consultancy. We having a lead associate with experience of preparing DPA contracts and years of experience of data protection within the banking / insurance / financial services sector.
In addition, our panel of consultants include industry professionals in information security systems meeting the best practice Standards of ISO27001 2013 advocated by the ICO to address Article 32 – security of processing.
If you would like to arrange a DPA benchmark review to assess your journey and internal readiness to the Data Protection Act 2018 please contact us.