Providers and intermediaries should see forthcoming data protection legislation as an opportunity for their businesses, according to Gareth Cameron, group manager for policy and engagement at the Information Commissioner’s Office (ICO).
Speaking at the Association of Medical Insurers and Intermediaries’s Health and Wellbeing Summit yesterday (23 November), Mr Cameron told delegates that complying with the General Data Protection Regulation (GDPR) would make clients more willing to share their information.
He said: "Our research shows it is not just security that people are concerned about, but data being shared for marketing and other purposes.
"When people feel they are being denied control, they use technology to take control themselves.
"If people feel comfortable and they can trust [businesses], they are willing to give businesses more of their data. That is why building trust is always good commercial practice."
Mr Cameron added that people were particularly sensitive about sharing their health data.
He said: “Building system trust and confidence is crucial for long-term success. Regulation can give you the tools to achieve that trust, transparency, control and accountability.”
He said businesses should see the new data protection rules as “an opportunity, not a burden”.
Set to take effect in May 2018, GDPR expands on the existing UK Data Protection Act, introducing a new level of accountability that requires any organisation that handles other individuals’ personal data to show how they comply with its principles.
It is set to affect everyone involved in collecting and processing information and data about individuals in the context of selling goods and services.
One of the major changes brought about by the legislation is that advisers will have to gain clients' explicit consent to collect data and use it for the purposes they require.
In addition, limits on clients’ ‘right to be forgotten’ – to have their personal data erased – that are enshrined in the data protection act will be removed.
Failure to comply with the regulation could see firms slapped with hefty fines of either €20m (£17m) or 4 per cent of annual global turnover – whichever is greater.
Mr Cameron pointed out that the underlying principles of the Data Protection Act remain the same, and the purpose of the GDPR is to bring the existing law into the modern age.
He added that the ICO had been developing tools and guidance to help businesses comply with the regulations.
Stuart Scullion, executive chairman at the Association of Medical Insurers, said he had had more conversations with members about GDPR than about any other topic in the past six months.
In a panel discussion following the talk, Hannah Fry, head of risk and compliance at adviser firm Stackhouse Poland, said: “Good data protection already exists in the majority of businesses. This is about the demonstration of systems to back that up.”
Mr Scullion raised the question whether firms had been given enough time to prepare for the changes, given that MPs are still debating parts of the legislation.
Claire Ginnelly, managing director at broker firm Premier Choice Group, said: “I think every organisation should have carried out an impact assessment. That will focus your mind in terms of the next step.
“I think it is going to be difficult over six months, but if you have done what you can until now you are going to be in a better position.”
Ms Fry said: “I am quite confident that as long as a business can demonstrate what it has done and why, the ICO are not going to come down on you if you can’t deliver.
“That is our plan about how we are going to get there – do everything we can to enable us to react as quickly as we can when the legislation arrives.
“Our big project has been ‘what we have got, where we have got it and why we need to keep it’.”
Information on complying with the GDPR regulations is available at the ICO’s website: https://ico.org.uk/
simon.allin@ft.com
