The General Data Protection Regulation (GDPR) brings in changes to the legislation that regulates the protection and use of personal data. The GDPR comes into force on 25 May 2018.
The GDPR puts more control into the hands of data subjects (the person), so that they can better understand how data about them is being used. For insurance, this includes how data is used in relation to marketing preferences, right through to how insurers are using external data providers to assist in the pricing of the insurance products.
Further to this, the regulation adds more stringent rules on how personal data is managed
and protected, and gives data subjects greater rights on what happens to their personal data.
With this in mind, we’re developing our software to help our customers comply with the GDPR. SSP has a programme of work already underway to ensure that our systems will support our customers in their GDPR compliance.
As mentioned previously, the GDPR strengthens and widens current data protection legislation, and there are some significant new elements and features to be
I’m sure you will be aware that the regulators can issue larger fines for breaches of the legislation.
These can be up to 4% of the total worldwide annual turnover of the breaching organisation, or 20 million euros, whichever is higher. Data subjects also have new and enhanced rights over the personal data that you keep, so you need to ensure that your procedures will cover, and demonstrate compliance with, all of these. The data subjects’ rights include the so-called “right to be forgotten”; and the right to receive personal data in a portable format.
Over the last few months, we have been communicating information to our customers in relation to their software systems, as well as more general hints and tips on their GDPR compliance. To that effect, we have compiled a list of some frequently asked questions, which we hope you will find useful.
How is SSP dealing with the changes to the GDPR legislation?
SSP’s GDPR programme has been running since last year. There are two major streams of work that affect our clients:
1. SSP Software
The work on changing our software to enable our customers to comply with GDPR is well under way. For each product, customers will soon receive a notification of what changes are being made, when they will be released and guidance on use of the changed software.
2. Looking after your data
All SSP employees will be receiving training on the GDPR before May 2018. In addition, those employees who are involved in looking after our customers’ data will receive specialised training in SSP’s duties in this regard.
We have made changes to our ISO 27001-compliant information security management system to ensure that the measures to protect our customers’ data is in line with the GDPR’s requirements.
To underpin SSP’s commitment to the GDPR, all customers will be receiving amended contract terms to ensure compliance with Article 28 of the GDPR, which places obligations on our customers to have specific contract terms with data processors like SSP.
How are you dealing with transfers of personal data outside of the European Economic Area (EEA)?
Transfers of personal data outside of the EEA must be one of a GDPR permitted transfer, using an approved mechanism such as European Commission standard data transfer contracts, Privacy Shield (for transfers to the USA) or Binding Corporate Rules.
At present, personal data processed by SSP — both the data for which we are data controller and that which we process on our client’s behalf — does not leave the EEA. We are currently exploring limited access to personal data by our SSP colleagues based outside of the EEA, to facilitate our ambitions to offer around the clock support services to our clients. We will be doing further communications on this subject later this year.
How are you dealing with security for all personal data?
This is part of SSP’s general GDPR compliance programme. As mentioned, SSP is starting from a strong base in that it already has ISO 27001 certification, which underpins a robust and reliable information security management system, which has been implemented across all of our worldwide operations.
Where appropriate, SSP is itself conducting Privacy Impact Assessments on our personal data processing to assure clients that the right level of controls are in place to ensure the protection of their personal data.
How are you approaching strategic governance activities for GDPR compliance?
Given the volumes and nature of the personal data that SSP processes on behalf of its clients, we have a programme underway with key SSP departments to ensure GDPR compliance.
Coming out of the privacy impact assessments that we are conducting (and associated data mapping exercises), we are creating records of personal data processing carried out by each of our product and service offerings.
What is the difference between the Data Protection Bill 2017 and the GDPR?
On 14 September 2017, proposals to amend the Data Protection Act 1998 were introduced into the House of Lords in the form of the Data Protection Bill 2017. The Bill, if enacted, will write into UK legislation both the requirements of the GDPR, and further legislation to apply GDPR principles to other types of data processing. It also includes certain derogations that permit processing of special categories of data for insurance purposes, which the GDPR would otherwise prohibit.
The Bill should be enacted on the day that the GDPR comes into force.
How does Brexit affect the GDPR?
It is important to note that the GDPR will come into effect before the UK leaves the European Union and the UK’s negotiations with the European Union will last at least two years, taking them through to March 2019. So whatever happens, the GDPR will affect your business and SSP’s business, so we advise that you continue to plan and prepare for the GDPR.
Where can I stay in touch with GDPR developments?
For more information about GDPR please contact your SSP account manager.
This article is an extract from SSP eye issue 11
About the Author
Company Secretary and Data Protection Officer — Richard has more than forty years’ experience of working in the IT services sector, for the most part serving the financial services industry. Richard sits on the main SSP management group, and is Company Secretary for all of the SSP group companies in the UK. He is head of Legal and Commercial for the worldwide SSP business, as well as being in charge of compliance and was appointed SSP’s Data Protection officer in 2017.More content by Richard Forrest