General Data Protection Regulation 2018

January 16, 2018 Richard Forrest

We're here to help

The General Data Protection Regulation (GDPR) brings in changes to the legislation that regulates the protection and use of personal data. The GDPR comes into force on 25 May 2018.

The GDPR puts more control into the hands of the data subjects (the person), so they can better understand how data about them is being used. For Insurance, this extends from how data is used in relation to marketing preferences right through to how insurers are using external data to assist in pricing the insurance products.

GDPR brings in more stringent rules on how personal data is managed and protected, and gives data subjects greater rights on what happens to their personal data.

With this in mind, we're developing our software to help our customers comply with GDPR. SSP has a programme of work already underway to ensure that our systems will support our customers with GDPR compliance.

Over the next few months, we will be sending out information to our customers relating to their software systems, as well as more general hints and tips on GDPR compliance. In the meantime, we have compiled a list of some frequently asked questions which we hope you will find useful. 


What does it mean for you?

The GDPR strengthens and widens current data protection legislation, and there are some significant new elements and features to be mindful of.

The regulators can issue larger fines for breaches of the legislation. These can be up to 4% of the total worldwide annual turnover of the breaching organisation or 20 million euros, whichever is higher.

Data subjects also have new and enhanced rights over the personal data that you keep, so you need to ensure that your procedures will cover, and demonstrate compliance with, all of these. The data subjects’ rights include the so-called “right to be forgotten”; and the right to receive personal data in a portable format.

How is SSP dealing with the changes to the GDPR legislation? 

We have set a programme, managed by a member of the Executive team, reporting to the Board. The programme has two principal areas of work:

  1. Ensure that we are compliant with the regulation in terms of the storage and processing of personal data under our care

This includes how we handle and process our customers’ client data, our employee data, the design of our software and services, and our security policies, procedures and systems.

  1. Ensure that the requirements of the regulations are built into our software to enable our customers to be compliant

How does this affect me as an SSP customer?  

Where needed, the SSP systems that you use will be modified to help you comply with the requirements of the GDPR. You will be advised on what these changes are, and the implications of their use. Some of these may not be straightforward, and their specific implementation is still being discussed amongst the key stakeholders.

You will also be able to rely on SSP to ensure that the data processing that you conduct on your behalf will be compliant with the legislation.

How are you dealing with agreements between controllers and processors?

The GDPR states that agreements between controllers and processors (and processors and their sub-processors) must incorporate certain minimum data protection clauses.

SSP is reviewing all of our contract terms, with clients, suppliers and subcontractors to ensure that we include appropriate terms to comply with the legislation. 

How are you dealing with transfers of personal data outside of the European Economic Area (EEA)?

Transfers of personal data outside of the EEA must be either a GDPR‑permitted transfer or using an approved mechanism such as European Commission standard data transfer contracts, Privacy Shield (for transfers to the USA) or Binding Corporate Rules.

At present, personal data processed by SSP — both the data for which we are data controller and that which we process on our client’s behalf — does not leave the EEA.

We are currently exploring limited access to personal data by our SSP colleagues based outside of the EEA, to facilitate our ambitions to offer around the clock support services to our clients. We will be doing further communications on this subject later this year.

How are you dealing with Security for all personal data?

This is part of SSP’s general GDPR-compliance programme.

SSP is starting from a strong base in that it already has ISO 27001 certification, which underpins a robust and reliable information security management system, which has been implemented across all of our worldwide operations.

Where appropriate, SSP is itself conducting Privacy Impact Assessments on our personal data processing to assure clients that the right level of controls are in place to ensure the protection of their personal data.

There are no specific technical security descriptions in GDPR (other than high level recommendations concerning encryption, pseudonymisation and anonymisation), but security measures must be and will be appropriate to the data type.

How are you dealing with GDPR obligations i.e. in relation to data subject rights?  

To help controllers and processors comply with GDPR obligations we are working on the policy wording for handling data subject rights for customers in the context of SSP's product lines.

How are you approaching strategic governance activities for GDPR compliance?

Given the volumes and nature of the personal data that SSP processes on behalf of its clients, we have appointed a Data Protection Officer — Richard Forrest, our Company Secretary.

Coming out of the privacy impact assessments that we are conducting (and associated data mapping exercises), we are creating records of personal data processing carried out by each of our product and service offerings; these will be made available to our clients to assist in their GDPR compliance.

SSP are ensuring that legitimate grounds for processing are identified and documented.

What is the difference between the Data Protection Bill 2017 and the GDPR?

On 14 September 2017, proposals to amend the Data Protection Act 1998 were introduced into the House of Lords in the form of the Data Protection Bill 2017. The Bill, if enacted, will write into UK legislation both the requirements of the GDPR, and further legislation to apply GDPR principles to other types of data processing.

At the time of writing (early January 2017) the Bill continues through the report stage in the House of Lords.

GDPR gives member states limited opportunities to make provisions for how it applies in their country. It is therefore important that organisations take note of implications in both the GDPR and the Bill.

How does Brexit affect the GDPR?  

GDPR will come into force on 25 May 2018, when the UK will still be a member of the EU. GDPR is an EU regulation applicable in the UK without the need for domestic UK legislation (and so will apply between May 2018 and any departure from the EU).

On exit from the EU, it is likely that either the Data Protection Bill 2017 will come into force; or the ‘Grand Repeal Act’ will write the then-current data protection legislation (including GDPR) into UK law.

So whatever happens, the GDPR will affect your business and SSP’s business, so we advise that you continue to plan and prepare for GDPR to take effect this coming May. 

SSP is already in full planning mode and looking at which of our operations are established in the UK and may be affected by proposed changes. We will also be checking for relevant developments at regular intervals and keep our plans up to date accordingly.

Where can I stay in touch with GDPR developments?

In addition to the EU’s GDPR website (, the ICO has set up a data protection reform site which contains information and guidance about GDPR and preparing for it:

As well as reviewing the 12 steps to take now on the ICO’s website, you may wish to limit the risk of other breaches of the GDPR when it comes into force in 2018.

For more information about GDPR please contact your SSP account manager or our Data Protection Officer, Richard Forrest, Company Secretary. You can also read our SSP Eye article here: Are you ready for the General Data Protection Regulation.

About the Author

Richard Forrest

Company Secretary and Data Protection Officer — Richard has more than forty years’ experience of working in the IT services sector, for the most part serving the financial services industry. Richard sits on the main SSP management group, and is Company Secretary for all of the SSP group companies in the UK. He is head of Legal and Commercial for the worldwide SSP business, as well as being in charge of compliance and was appointed SSP’s Data Protection officer in 2017.

More from Richard Forrest
Previous Article
 SSP e-trading Q&A
SSP e-trading Q&A

A year has passed since the 2017 Insurance Times Etrading report, what changes have taken place at SSP sinc...

Next Article
Learning about large scale disruption from incumbents
Learning about large scale disruption from incumbents

Innovation is not the prerogative of start-ups – indeed many of today's incumbents were the start-ups of ye...

Working from home support from SSP

View resources