GDPR Creates New Rights for Individuals

The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA. The GDPR provides the following rights for individuals:

1. The Right to be Informed
2. The Right of Access
3. The Right to Rectification
4. The Right to Erasure
5. The Right to Restrict Processing
6. The Right to Data Portability
7. The Right to Object
8. The Right to Manual Processing

These are the key rights that a data subject can ask to be enforced. Insurance companies need a business process and the right systems in place to cope with these demands.
The Right to be Informed

The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data. [Source: ICO]

That is the right to be informed of a data protection breach. A data subject has the right to know if their data has been breached so they can take appropriate action. In telling the data subject that it has been breached, the company also needs to inform them of the type of data that has been lost/stolen and the potential consequences. If it is the data subject’s name and email address that has been divulged, for example, then they might look out for messages or scam email. If it’s their home address or bio metric or medical information then they need to know what action to take and be informed of that quickly. An example of inadequate data breach response was the Yahoo incident, a very poor breach notification where people were hacked in 2015, over two years ago, but were not informed by Yahoo.

The right of access

Under the GDPR, individuals will have the right to obtain: confirmation that their data is being processed; and access to their personal data; and other supplementary information

The right of access gives a data subject the right to ask for a copy of their data in a human readable form. It is important to be specific. Informing the data subject holder that their data is held at Branch 18, for example, is not good enough: be precise if it’s in a Sheffield branch. You must be able to decode that information. The difference under GDPR is that companies can’t charge a fee for providing this information. Under the DPA companies can charge a minimal £10 fee.

The right to rectification

Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate. [Source: ICO]

What happens if a data subject requests access to their data and on receipt of that information they realise that the organisation has confused them with someone else? There may be two people living at the address with the same name: or, for example, there is a John Smith and a Jane Smith and the data subject recognises that in some instances they may have been confused with Jane Smith who may be their wife or no relative at all. The data subject has the right to have the information corrected and firms need to have appropriate measures to assure the quality of the data. If a company’s processes are failing or people are trained badly that is bad for the business but it could also impact the company reputation.

The right to Erasure

The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing. [Source: ICO]

A data subject can ask for their data to be removed. Imagine a motor policy from a few years ago. The data subject cancels the policy because they are unhappy with the service. Two years later they ask for data from the data processor with whom they terminated their insurance policy and it turns out that the processor still retains lots of personal data that the policyholder does not want them to have. Under GDPR we can all ask for that information to be erased.

A common question that I am often asked around this is if someone asks for their data to be erased am I (the data controller) allowed to keep a record of the fact that they asked for their data to be erased and that their data has then been erased? There are shades of Catch 22 around this but the answer, ultimately, is simple. The answer is yes you must record that the data has been erased and this must be shown to have occurred (or evidenced).

The Right to Restrict Processing

Under the DPA, individuals have a right to ‘block’ or suppress processing of personal data. The restriction of processing under the GDPR is similar. When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future. [Source: ICO]

In a nutshell this is the right of the data subject to say “Until you correct my data you cannot use this in the way that you said you would. You must not use the data to provide a service to me.” If it is an insurance policy it may be something that affects a policy, a rating, or it may be a difference in address but the insured/data subject has the right to request a restriction of processing.

The Right to Data Portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. [Source: ICO]

Data portability is an interesting one for many businesses but particularly financial services because the rights of the data subject are such that they can request a copy of their data in machine-readable form to provide to another supplier/provider. The insurance aggregation sites, for example, are going to have a field day with this right because rather than having to retype in all the data subject’s information they are going to be able to request a copy of data and automatically feed it into their aggregation engine before sending it to other insurance companies with the purpose of obtaining a cheaper quote.

Insurers will need to update their systems and make sure business processes cater to the fact that their existing clients can ask for their data to make it easier for them to leave their existing service provider. The challenge for insurers is that all their computer systems now must be able to export the data of the subject in an industry common/specific format.

A common insurance system “System X” today collates and collects details of the insured. Presently there is no mechanism for “System X” to read a data portability request then export that data in a common format such as XML or a CSV file and export it in a secure fashion so that the data subject can then use that data to obtain an alternative quote on that business or take over that account or policy.

The Right to Object

Individuals have the right to object to:

• processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
• direct marketing (including profiling); and
• processing for purposes of scientific/historical research and statistics. [Source: ICO]

The data subject has the right to object to the way their data is being used if they think it is disproportionate to the purpose. A company must have a stated purpose for why they are collecting the data such as for the provision of motor insurance, for example, and the purpose must be specific. There can, of course, be multiple purposes. The company can say it is for the provision of motor, life, and marketing information relating to services provided etc. That’s OK but the purpose can’t be provision of motor insurance and credit card marketing too unless the data subject has been made aware of and has signed up for that. To summarise: if the data is being used in a way that the data subject thinks is incompatible with the purpose or if they think it is too onerous or disproportionate, the data subject has the right to object.

Right to Manual Processing

The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. These rights work in a similar way to existing rights under the DPA. Identify whether any of your processing operations constitute automated decision-making and consider whether you need to update your procedures to deal with the requirements of the GDPR. [Source: ICO]

In simple terms, imagine someone applies for a mortgage and the computer returns a negative response. Under GDPR we now all have the right to ask for an explanation, but also to ask for manual processing. In a similar way, for a personal lines insurance scenario, say a motor policy for example, a person receives a higher than expected quote for their motor insurance renewal, with no explanation why. Under GDPR, the person can not only ask why the quote is higher, but can even ask for the quote to be processed manually. This may be of particular interest to personal lines business, which have taken advantage of automation.

Conclusion

All these data rights are designed to put the power back in the hands of the data subject as the owner of their data. Remember that all of us as data subjects are only giving the companies who hold our data the right to use our data: companies whether they are banks, insurers or anyone else do not actually have any power over the data. That is an important distinction and businesses that forget that point put their revenues and their reputation at risk.