GDPR best practice and consent

25 July 2018

Following implementation of the General Data Protection Regulation (GDPR) on May 25th, the UK entered into a new age of data protection.

Every business should have been fully prepared for the transition and as a result, should have embedded the systems, policies and processes required to comply with the new regulation.

What is consent?

Consent is one of the six lawful bases for processing, which are set out in Article Six of the GDPR:
 
“The data subject has given consent to the processing of his or her personal data for one or more specific purposes”
 
For further details of the six lawful bases, please refer to the ICO website.

Is consent appropriate for the general insurance sector?

Ultimately, each organisation must define their own lawful basis or bases for processing, but there are many factors which impact upon this decision. While the GDPR sets a high-standard for consent, you should carefully review if you actually need it and if it is difficult, you should consider looking for a different lawful basis to process data.
 
An organisation may select multiple lawful bases to cover different processing activities, for different datasets or different stages of the customer lifecycle; but as the ICO states, you should choose an ‘appropriate lawful basis (or bases, if more than one applies) from the start’ and not change them without a good reason.
 
It may be that an alternate lawful basis such as ‘contract’ or ‘legitimate interest’ is more appropriate for the GI sector, as brokers often have contractual obligations to fulfil, or their duties as a broker can serve as a legitimate interest, although a thorough balancing test would need to be performed.
 
In each case, the lawful basis needs to be appropriate to the organisation, the relationship with the data subject, and the processing activity.
 
By now, each organisation should have identified their processing activities and published their privacy statements ahead of the May 25th deadline, so where does this leave consent and when should it be considered?

Best practice for obtaining consent

Organisations should be cautious about over-reliance on consent, but this does not mean that it does not have a role to fulfil. Used correctly, consent enables organisations to build datasets of individuals (data subjects) who want to hear from and hopefully engage with the organisation. Consent should balance the relationship, build trust and engagement, and enhance the organisation’s reputation.
 
It is up to each organisation to choose the lawful basis which reflects their relationship with the data subject and the processing activity. You can consider using consent when no other lawful basis obviously applies, but conversely, if consent is difficult, it may well be that another lawful basis is more appropriate.

Seven practical steps brokers can take

  • Review the ICO website for a thorough overview of consent, how to obtain consent and what you must do
  • If you are processing special category data, you may require explicit consent to legitimise the processing, unless a specific condition in Article 9 applies. Explicit consent requires a very clear and specific statement of consent and not simply a ‘tick box’. Exemptions for insurance have been included in the Data Protection Act 2018; the Act considers insurance to be included within the ‘substantial public interest’ legal basis, which means that explicit consent may not be required in the majority of cases
  • Be mindful of the requirements of the Privacy and Electronic Communications Regulations 2003 (PECR). The EU is in the process of replacing the current e-privacy law with a new e-privacy Regulation (ePR), which will impact upon marketing activity
  • Keep your consent requests separate from other terms and conditions
  • Be specific and ‘granular’ so that you get separate consent for separate things
  • Keep detailed records of consent and the statements that were in place when consent was given
  • GDPR does not stipulate a time limit for consent. How long consent lasts will depend on the context and it should be reviewed and refreshed as appropriate.

In summary

Consent must be freely given, which means giving people genuine ongoing choice and control over how you use their data.
 
If you are processing personal data using GDPR-compliant consent, then you must give individuals a choice and control over how their data is used and ensure that your organisation is transparent and accountable.
 
Used correctly, consent can form the foundation of lasting relationships between data controllers and subjects, but failure can result in significant damage to reputations and risk potential fines.

FAQs

The Information Commissioner’s Office (ICO) has issued a raft of guidance that firms can draw from to base their preparations on and further guidance following the consent consultation can be expected shortly.
 
In a nutshell, organisations need to keep records of personal data that they hold/process, keep records of how and when consent was given and what the individual was told, show where the data is going and what it’s being used for, and protect the data they hold.
GDPR has six key principles, which are covered in article 5 of the ICO’s guidance, as follows:
 
“Article 5 of the GDPR requires that personal data shall be:
 
  • processed lawfully, fairly and in a transparent manner in relation to individuals;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. 
These six principles are covered by article 5(2), referred to as the accountability principle, which, “requires that the controller shall be responsible for, and be able to demonstrate, compliance with the principles.” 
 
Businesses need to have a clear understanding of what ‘affirmative consent’ means so that they can ensure their marketing activities are GDPR compliant: they will need to ensure they can demonstrate they have ‘affirmative consent’ for each and every one of their new business prospects, whether these be personal or commercial.
It came into effect on 25 May 2018. 
There are a few key steps you should be taking now:
 
  • You need to make sure that decision makers and key people in your organisation are aware that the law is changing. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under GDPR.
  • It would be useful to start looking at your organisation’s risk register, if you have one.
  • Implementing GDPR could have significant resource implications, especially for larger and more complex organisations.
  • You should raise awareness of the changes that are coming and not leave preparations until the last minute.
  • Consider employee awareness training. RWA’s ‘My Development Zone’ is a useful online learning platform with a full GDPR pathway that employees can undertake. 
For more details on the accountability principle and what is required, please visit: ico.org.uk
 
If you would like further support to help you strength test your GDPR compliance then RWA can also assist you with an initial healthcheck and with further high level process implementation support. 
GDPR is a compulsory requirement for any business handling personal data which relates to living EU citizens. To clarify, GDPR documentation refers to ‘personal data’ as being “any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier [email, IP address, mobile device ID, etc.] or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”1
 
Understanding how the GDPR defines ‘personal data’ is vital for every business. For example, a business email address that has a personal name – for example, andrew.linnell@rwagroup.co.uk – meets the definition of personal data, as it has an individual’s name in it. And as such, a business will need to understand on what basis it is processing this data. 
 
Further, how will businesses approach ‘consent’ should an existing client not renew their business? Traditionally, the broker will view this ‘lost’ client as a new prospect for the future. But how will they ensure they have ‘affirmative consent’ to continue to market their services to a client they no longer hold?
 
GDPR is a golden opportunity to review the information you hold and embed solid GDPR policies and procedures. If done correctly, these changes will not only ensure that your business is compliant, but they also have the capacity to deliver commercial gains for your business.