I wrote an article a few months back about the benefits to be accrued by risk practitioners thanks to the challenges that impending changes to data protection would bring. Hopefully some of the readers took this on board and made this work for them, and to their organisations advantage.
In this brief article about the GDPR I shall focus more upon the challenges to be faced by the Insurance Team when the requirements of the General Data Protection Regulation kick in and how we, as a software partner, will address them.
So what are the main differences between the DPA and GDPR and how will these impact upon the claims team?
Well, we’re down from eight principles to six but fines for misuse of data have been significantly increased. It is worth noting that these were already increasing under the DPA, in fact in 2017 fines totalled over £3M. There is now a focus on the intent with which any data is accessed and used being lawful, fair and transparent – this means that on claim forms a privacy & data use statement, as well as data retention information, will be needed and express consent given. Data can also only be used for specified explicit and legitimate purposes, in this instance the settlement of a claim and nothing else. In addition, data use needs to be adequate, relevant and limited to what’s necessary in relation to the purpose of the data access. Consideration is given to how accurate the data that’s held is and how it’s kept up-to-date, plus that it’s held in a form where the data subject could be identified for no longer than necessary. This is an interesting point as it suggests that once the claim is settled data could be deleted, however for a claims team, data may need to be held for longer when pertaining to claims involving minors, potential long-tail claims and for fraud purposes. Finally, it also looks for confirmation of appropriate technical or organisational measures being in place to protect against unlawful or unauthorised processing, as well as accidental loss or destruction. A post of Data Protection Officer will also need to be filled although this doesn’t have to be on site.
To assist our clients, JCAD are developing tools that will identify claims that have exceeded a defined retention period. In order to retain financial and analytical records options will be made available as to the depth of anonymisation of data. The anonymisation process will include electronic data within the database as well as the deletion of dairy records and the attached documents and emails.
This will be an irreversible database transaction so this feature will be limited to specific staff to avoid mistakes. Daily notifications of records that breach the retention criteria will be alerted to users so that these can then be processed to ensure compliance with the new GDPR requirements.
If you would like to discuss this in more detail please get in touch.