The GDPR adds additional complexity to the already heavily regulated Financial Services and Insurance sector.  Many of the GDPR’s requirements are complementary to existing legislation but special attention must be made to personal data protection.

Finance and insurance companies often process large amounts of personal data, often of a sensitive nature.  Particular attention must be paid to ensure it is only used for the intended purpose, that it is only shared in a controlled way and that it is retained and disposed of appropriately and in a timely fashion.

The use of data for profiling and automated decision making is also strictly legislated under the GDPR.

This page explains what data protection legislation means for finance & insurance organisations and the key areas they need to consider when managing personal data.

WHAT DOES THE LEGISLATION MEAN FOR FINANCE & INSURANCE ORGANISATIONS?

Like all other organisations, finance & insurance organisations must:

ok2
Be transparent in the way they process personal data and accountable for doing so
ok2
Be able to detect, manage, report and respond to data breaches including, if necessary, liaising with the Information Commissioner’s Offfice (ICO)
ok2
Understand the data they have, where it is stored and who has access to it
ok2
Implement robust processes and procedures to protect personal data
ok2
Allow users, data subjects and staff to:

  • Access the data stored on them
  • Ensure the data is correct and modify it as necessary
  • Have it deleted (unless needed for legitimate reasons)

ok2
Appoint a designated data protection officer if they:

  • Are a public body
  • Process data on a large scale
  • Use the data for profiling or automated decision making

Stacks of golden coins covered by paper umbrella. insurance concept

IMPORTANT DATA PROTECTION CONSIDERATIONS FOR FINANCE & INSURANCE ORGANISATIONS

Finance and insurance organisations must protect personal data in a wide range of their operations.  Some major considerations include:

Complementary Regulations

  • Financial Conduct Authority (FCA) regulations
  • PCI Credit card regulations
  • Banking regulations
  • Anti-money laundering regulations
  • Understanding audit and inspection requirements

Handling sensitive and special category data

  • PCI Credit card regulations
  • Banking regulations
  • Anti-money laundering

Managing sensitive and special category

  • Data Protection Impact Assessments
  • Personal data, financial data, medical data, records of criminal convictions especially for Insurance

Multiple and legacy systems

  • Duplicated data held on multiple systems and data minimisation
  • Data retention and disposal
  • Mechanisms for handling DSARs

Administration

  • Email systems
  • Staff payroll, pension and HR records
  • Visitors’ book, access and CCTV

Data Security

  • Maintaining network and server security
  • Data encryption
  • Cyber security

Policies and agreements

  • Privacy, retention, cookie and data protection policies
  • Staff handbooks

Sharing data with others

  • Transfers with 3rd parties
  • Data transfers outside the EU
  • Data processing and data sharing agreements

Handling large quantities of data

  • Appointing a designated DPO
  • Profiling and automated decision making

If you would like to speak to us about any of our Data Protection consultancy services

 

Contact Us

Change your cookie consent