Forget about Brexit; it is GDPR that is likely to cause the biggest issues for UK life and pension firms in the short and medium term. The General Data Protection Regulation comes into force on 25th May 2018, well before Brexit day, so all firms in the UK that handle any personal data will come under its remit. And that will hit life and pension firms heavily, as their business is based on holding large amounts of personal data upon which to base their pricing decision when selling and administering policies, and to provide a justification for claims when they finally arrive.
The new regulation increases significantly the rights of people to the information that is held about them by a firm. This includes information held on systems and on paper. They have a right to copies of this data, which must be provided for free and within a month. There is almost no limit on the amount of times it can be requested, opening up a vista of multiple vexatious requests from disgruntled customers.
The other rights include a re-statement of the ‘right to be forgotten’ i.e. the right to have all one’s data deleted by the company who collected it, provided that the company is not legally obliged to hold onto it. There is also a new right – the right to data portability. This is the right to have a machine-readable copy of the data held by the company so that the customer can take it to a different data processor i.e. a competitor.
While GDPR is new and therefore we cannot be certain how the court will interpret it, it is clear that the ability to establish the data held on any individual in order to copy it or provide an electronic copy is going to be important for all life and pension companies from next May. And the problem for life and pension companies remains the age-old issue of information being held across disparate legacy systems, which cannot easily be extracted and given to the individual requesting it.
In a situation where charging for the procedure is not an option, technology is the only way that such a burden can be mitigated. It is essential for every life and pension company to begin to address the issue now, as the scale of the work to comply with just these three parts of the regulation is extensive.
The regulation also establishes requirements to ensure that data is only used for the purposes for which it was gathered, that any consent gathered is explicit and retained for inspection purposes and that the amount of data captured is minimized in order to reduce the risk of gathering excessive data about an individual.
This means that full privacy impact assessments must be undertaken to ensure that the organization is fully aware of what personal data it is processing and why it is processing it.
The important thing is not to delay. There are fewer than 10 months left until GDPR goes live, so if your organisation is not already running a GDPR project, the time to start one is right now.