Skip to content

General Data Protection Regulation


What is the General Data Protection Regulation?

The increased rate of technological developments and globalisation have brought new challenges for the protection of personal data. GDPR has been introduced to reflect changes in technology since the Data Protection Act was introduced.
  • When does it come into effect?

    It will come into effect from 25 May 2018.
  • What are the changes?

    The Information Commissioner’s Office (ICO) has issued a raft of guidance that firms can draw from to base their preparations on and further guidance following the consent consultation can be expected shortly.

    In a nutshell, organisations need to keep records of personal data that they hold/process, keep records of how and when consent was given and what the individual was told, show where the data is going and what it’s being used for, and protect the data they hold.
  • Who does it affect?

    GDPR is a compulsory requirement for any business handling personal data which relates to living EU citizens. To clarify, GDPR documentation refers to ‘personal data’ as being “any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier [email, IP address, mobile device ID, etc.] or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” 1

    Understanding how the GDPR defines ‘personal data’ is vital for every business. For example, a business email address that has a personal name – for example, – meets the definition of personal data, as it has an individual’s name in it. And as such, a business will need to understand on what basis it is processing this data. 

    Further, how will businesses approach ‘consent’ should an existing client not renew their business? Traditionally, the broker will view this ‘lost’ client as a new prospect for the future. But how will they ensure they have ‘affirmative consent’ to continue to market their services to a client they no longer hold?

    GDPR is a golden opportunity to review the information you hold and embed solid GDPR policies and procedures. If done correctly, these changes will not only ensure that your business is compliant, but they also have the capacity to deliver commercial gains for your business.
  • What are the key principles?

    GDPR has six key principles, which are covered in article 5 of the ICO’s guidance, as follows:

    “Article 5 of the GDPR requires that personal data shall be:

    (a) processed lawfully, fairly and in a transparent manner in relation to individuals;

    (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

    (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

    (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

    (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;

    (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. 

    These six principles are covered by article 5(2), referred to as the accountability principle, which, “requires that the controller shall be responsible for, and be able to demonstrate, compliance with the principles.” 

    Businesses need to have a clear understanding of what ‘affirmative consent’ means so that they can ensure their marketing activities are GDPR compliant: they will need to ensure they can demonstrate they have ‘affirmative consent’ for each and every one of their new business prospects, whether these be personal or commercial.
  • Where should you start?

    25 May is not far away and the sooner businesses begin to take action to meet the requirements of the GDPR, the better prepared they will be. There are a few key steps you should be taking now:

    1. You need to make sure that decision makers and key people in your organisation are aware that the law is changing. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under GDPR.

    2. It would be useful to start looking at your organisation’s risk register, if you have one.

    3. Implementing GDPR could have significant resource implications, especially for larger and more complex organisations.

    4. You should raise awareness of the changes that are coming and not leave preparations until the last minute.

    5. Consider employee awareness training. RWA’s ‘My Development Zone’ is a useful online learning platform with a full GDPR pathway that employees can undertake. 

    For more details on the accountability principle and what is required, please visit:

    If you would like further support to help you strength test your GDPR compliance then RWA can also assist you with an initial healthcheck and with further high level process implementation support.
Andrew Linnell, Strategy, Planning and Growth RWA Solutions

Andrew is a leading independent expert in the UK general insurance market, working with brokers to achieve their personal and business goals, and with insurance companies to achieve their distribution and growth objectives in the broker distribution channel.

1 Guide to the General Data Protection Regulation, ICO, November 2017

This article is provided for information purposes and is general and educational in nature. Nothing in this article constitutes legal advice. You are free to choose whether or not to use it and it should not be considered a substitute for seeking professional legal help in specific circumstances.

Contact our broker support team

Tell us your challenges - we're ready to help with expert advice, solutions and support. Experience the Ecclesiastical difference for the broker.

Ecclesiastical Insurance Group plc (EIG) Reg No 1718196. Ecclesiastical Insurance Office plc (EIO) Reg No 24869. Ecclesiastical Life Ltd (ELL) Reg No 243111. Ecclesiastical Financial Advisory Services Ltd (EFAS) Reg No 2046087. Ecclesiastical Underwriting Management Ltd (EUML) Reg No 2368571. E.I.O. Trustees Ltd Reg No 941199. EdenTree Investment Management Ltd (EIM) Reg No 2519319. All companies are registered in England at Beaufort House, Brunswick Road, Gloucester GL1 1JZ. EIO and ELL are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Firm Reference Number 113848 (EIO) and 110318 (ELL). EFAS and EIM are authorised and regulated by the Financial Conduct Authority. Firm Reference Number 126123 (EFAS) and 527473 (EIM). EUML is an appointed representative of EIO who is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Firm Reference Number 402228.