The long-awaited General Data Protection Regulation (GDPR) becomes legislation in a week, on 25 May 2018. Below Narrinder Taggar, Partner and defendant personal injury insurance litigation specialist at Shakespeare Martineau, sheds light on the extended implications of the regulation on the insurance sector.

With GDPR coming into play, organisations across a wide variety of sectors and industries, including insurance companies, will be forced to adjust and assess their data protection strategies or face fines of up to €20 million or 4% of annual turnover, whichever is greater.

The GDPR contains rules protecting individuals when their personal data is processed. This also includes further rights around how this personal data is handled and shared with other parties.

The sensitive nature of personal information used in many insurance claims could cause a serious headache for the industry and is set to cause significant disruption to how all parties involved in the insurance claims process store, manage and process personal data. The risk created when information is shared between claimants/their advisors, brokers; insurers and other parties, such as medical professionals, all of which would be classed as “data controllers”, is great.

A data controller determines the purposes, conditions and means of the processing of personal data. The data processor is the entity that processes data on behalf of the data controller.

But what about accident investigators, who are instructed to process data on behalf of the data controller? They may well be data controllers for the purposes of obtaining and drafting witness statements which would be subject to legal professional privilege until such time the statements are disclosed to any third parties. Of course, it should be noted that a claimant does not have a right to access any data which is subject to legal professional privilege.

With the GDPR placing a greater emphasis on transparency and accountability, the insurance industry will have to be even more careful with the storage of sensitive data. With personal data being intrinsically linked to the claims process and regularly being shared with third parties, the need to be prepared is particularly urgent and parties must rethink exactly how this information is shared during the process.

Hard copy documents such as instructions to barristers may have previously been sent in the post. However, under the new GDPR it remains to be seen whether this way of sharing sensitive documents will still be deemed to be a compliant activity. Instead, encrypting files containing sensitive personal data is set to become the norm.

Under the GDPR all data controllers will be responsible to ensure not only that the receiver, or processor, is GDPR-compliant, but also to find how they intend to store and use data and delete the data once it is no longer required. This can be achieved through the arrangement of a data sharing agreement. This might include a description of the data processing, an assessment of any possible risks and how those risks will be mitigated. Because of the need to ensure compliance throughout all stages of the process, those involved in insurance claims, for example insurers and their solicitors, should set up data sharing agreements with their contacts and suppliers; including other data controllers.

However, duty of compliance also continues after the claims have been settled. The 'right to be forgotten' places a responsibility on the controller to delete any personal data if requested by the subject and not to keep data any longer ‘than is necessary for the purposes for which the personal data is processed’. Yet, there are a number of grounds in which data controllers may keep personal data, including if it needs to be retained in case of any further legal proceedings for example appeals. Therefore, organisations may need to set their own retention periods for data depending on the information in question and how it may be used in future. It is worth remembering in this case that any data deemed relevant must be recorded and held securely offline.

Under the new requirements, data controllers will be obliged to report breaches to the relevant authority within the first 72 hours. Should a breach occur under the new legislation, the fault will lie not only with the data controller but could also lie with the data processor who shared the information, making it vital for all parties to be accountable for the information they process.

The GDPR has undoubtedly changed the goal posts for the insurance industry and many questions still remain around the identification of sensitive information and how the usual correspondence between parties will be affected after the new legislation is introduced. With such large penalties coming into play, the worry of doing something wrong has never been greater.

The industry currently awaits further guidance from the UK Information Commissioner on what the legislation will really mean in practice. However, with the deadline fast approaching, doing nothing is no longer an option. The industry must prioritise collaboration and transparency, in order to ensure they are fully prepared for the changes ahead.