Here are some answers to frequently
asked questions from insurance clients.
Will the GDPR stop us from complying with our other regulatory requirements, such as Anti- Money Laundering, Know Your Customer and Open Banking requirements?
We do not believe that data protection law prevents organisations from complying with other financial regulatory requirements. The GDPR allows you to process personal data where it is necessary to comply with other legal obligations, and the FCA takes data protection into account when it is setting its own regulatory rules.
ICO and FCA joint statement
The FCA and the ICO released a joint statement in 2018 on the effect of the GDPR on other regulatory requirements in the financial services sector.
Financial Services firms asked the Financial Conduct Authority (FCA) about their ability to comply with both the GDPR and rules made by the FCA. The ICO and the FCA believe the GDPR does not impose requirements which are incompatible with the rules in the FCA Handbook.
Will I need consent to process personal data under GDPR?
Not necessarily. Like the current Data Protection Act 1998, there are a number of different lawful bases for processing personal data, and consent is just one of them.
In some cases, consent will be an appropriate way to legitimise your processing. However, there will be situations when consent is not the appropriate legal basis – for example, if you are processing personal data for the performance of a contract with the data subject, or if you are complying with a legal obligation.
What if someone asks us to delete data using their ‘right to be forgotten’, but we need to keep the data for our own purposes or for a regulatory requirement?
Individuals have a new ‘right of erasure’ under Article 17 of the GDPR, also known as the ‘right to be forgotten’. However, this is not an absolute right that you will always have to comply with.
Generally speaking, if you have a genuine need to continue processing that personal data (for example, because you have a legal obligation to do so), you will be able to do this. However, you must consider each request on its own merits and, if you decide not to delete data when requested by a data subject, you will need to be able to justify why.
Do I need to appoint a data protection officer (DPO)?
The GDPR does not always require you to appoint a DPO. However, you will need to do so if:
- You carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
- You carry out large scale processing of special categories of data or data relating to criminal convictions and offences