Data protection laws are changing - what to look out for

MIB manages numerous customer databases and has a major role in data asset management for the insurance industry. As we work towards a seamless transition to new data protection laws, including GDPR, we will be taking a close look at some of the major areas of change that insurers need to look out for. In this issue, MIB insight focusses on Accountability. 

Accountability

Accountability is being referred to as the new ‘seventh’ data protection principle and the new data protection laws will demand greater accountability from organisations in their use of personal data.
Specific aspects you need to consider include:

1 Documentation

Documentation has evolved from an ‘optional extra’ to a mandatory substantive duty.

Large organisations or those that process high risk data will need to create a Record of Processing which includes details of what personal data they process, the purposes for which the data is processed and how they comply with the required conditions for processing to be lawful.

Many organisations in the insurance industry will also need to create a Policy Document that explains the retention and erasure practices they have in place for the data and how they comply with the data protection principles.

2 Assessments

Data Protection Impact Assessments (DPIAs) help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. Historically DPIAs have been promoted by the Information Commissioners Office (ICO) as best practice.

Under GDPR, organisations will be required to carry out a DPIA when using new technologies and where the processing is likely to result in a high risk to the rights and freedoms of individuals.

A Legitimate Interests Assessment (LIA) should be conducted if an organisation is relying on Legitimate Interests as the condition to make data processing lawful. The LIA will help ensure the organisation’s interests do not outweigh the rights and freedoms of the data subject.

DPIAs and LIAs are an integral part of taking a privacy by design approach. The ICO is working to update its DPIA guidance and develop LIA guidance.

3 Data protection officer

Under GDPR, many organisations will be required to appoint a Data Protection Officer (DPO). This is required where:

• the organisation is a public body;
• the core activities involve regular and systematic monitoring of data subjects on a large scale; or
• the core activities consist of processing special categories of data and/or criminal data on a large scale.

The DPO’s tasks will include: informing and advising on data protection; monitoring compliance; and being the first point of contact for supervisory authorities.

The DPO should have experience and knowledge of data protection law and be positioned in the organisation where they have independence and access to the top level of management.

4 Privacy by design

Privacy by design is an approach to projects that promotes privacy and data protection compliance from the start. It is an implicit requirement of data protection that the ICO has always championed.

For example, organisations should have data privacy as a consideration when:

• building new IT systems;
• undertaking new data sharing arrangements;
• using data for new purposes.

By integrating privacy by design into business processes and project management, organisations are more likely to meet their legal obligations and less likely to breach data protection law.

The ICO is working to update the guidance on privacy by design to reflect the provisions of the GDPR.

The new law also endorses the use of approved codes of conduct and certification mechanisms to demonstrate compliance.

Look out for more on GDPR in the next issue of MIB insight.

Share this page

Share this page on Facebook Share this page on Twitter Share this page by Email Share this page by Email