Practical steps for advisers to consider when conducting group risk business

As all advisers will be very aware, the General Data Protection Regulations (GDPR) is EU-wide legislation designed to improve the way organisations handle personal data, in order to better protect the rights of the public. It must be implemented by 25th May 2018.

All businesses should now be well prepared for GDPR

GDPR, also known as the Data Protection Act 2018. We’ve been working on our preparations for many months, and no doubt advisers have too. At the time of writing (11th May) all businesses affected by the Data Protection Act 2018 should be making their final preparations. With many ready to go. These preparations aside, there are some practical changes every adviser conducting group risk business should consider making to their day to day processes.

5 practical things to think about

1.Make sure data protection is the first consideration in every process.
Advisers should think about what information they are disclosing to insurers. If personal data is needed, they should take precautions when collecting and sharing the information. Data should be shared sparingly and with respect. To do this advisers should also have a clear understanding of what is considered ‘personal data’ in a group risk context and the ICO definition may be useful in this respect. For example, we regard any individual data item or combination of items which could identify an individual as personal data. So just providing an employee’s age rather than date of birth, along with their salary and employer could still be enough to identify that person and therefore the same precautions should be taken. Advisers should also be clear about exactly what information insurers need, and if in doubt they should clarify that. This helps to minimise the data that is collected and shared, while making sure insurers have all the data they need to quote and/or administer the policy.

2.Ensure all data is protected when sending it.
Once you’ve established the need to share personal data, make sure you’ve taken appropriate steps to protect the data. That includes data sent in a spreadsheet. But it could also be any personal data shared in any other document, or by email. We advise that any personal data sent to us by email should be at least password protected with a unique password. Sending the password separately by email is also not advised. Many firms have their own secure email service or have TLS encryption enabled with us. If you’d like to set this up please call us.

3.Minimise manual data touch points when you can.
Every time an adviser handles employee data it brings risk. They are responsible for handling that data securely when it is in their possession. Advisers should think carefully about how and why they handle data in every process. If there is an opportunity to minimise the data they handle, they may wish to take it. Our online services which allow employers to upload their data directly to our secure website are already popular. We expect this to increase post-implementation of the Data Protection Act 2018.

4.Get up to speed on your own and your insurer’s GDPR preparations.
Naturally, the Data Protection Act 2018 is a hot topic for employers. They want to make sure all their suppliers comply with the new legislation. Advisers and consultants need to therefore have a good working knowledge of their own and their insurer’s preparations. Not only to field initial questions but to give this topic the importance it deserves.

5.Don’t miss out on insurer communications.
The Data Protection Act 2018 is having a major impact on email marketing practices. All businesses are now adopting explicit opt-in, preference based email marketing. That will mean less unwanted mail for all, but it could also mean advisers miss out on insurer updates if they don’t sign-up. We’ve been asking all advisers currently working with Ellipse to make their communication preferences before 25th May. Advisers who have not done so in time will not receive any future emails from us until they update their preferences. 

In a nutshell

As advisers and insurers complete the final stages of their Data Protection Act 2018 preparations, there are some simple, practical changes that advisers may wish to make to their everyday broking processes to keep personal data secure. Given the very nature of group risk products, and inherent sensitivity of much of the personal information collected in order to provide the cover, let alone the fines and penalties for non-compliance, few things are more important than keeping that personal data safe and secure.

knowledge hub monthly newsletter

Our latest and most popular articles on group risk and employee benefits, direct to your mailbox every month.

Thank You!

You have signed up to our newsletter