The UK GDPR and DPA 2018 for insurers
Produced in partnership with Jade Kowalski of DAC Beachcroft

The following Insurance & Reinsurance practice note produced in partnership with Jade Kowalski of DAC Beachcroft provides comprehensive and up to date legal information covering:

  • The UK GDPR and DPA 2018 for insurers
  • Data protection principles
  • Data minimisation
  • Storage limitation
  • Lawful basis for processing personal data
  • Conditions for processing special categories of personal data
  • UK DPA 2018—‘insurance’ condition for processing special categories of personal data
  • Other UK-specific conditions
  • Processing of criminal offence data
  • Data subject rights
  • More...

The UK GDPR and DPA 2018 for insurers

This Practice Note provides an introduction to the basic data protection issues relevant to insurers when processing personal data under the UK General Data Protection Regulation, Retained Regulation (EU) 2016/679 (UK GDPR) and the UK Data Protection Act 2018 (DPA 2018). It focuses on the data protection principles, lawful basis for processing, data subject rights and exemptions.

For a comprehensive overview of the UK GDPR, see Practice Note: The UK General Data Protection Regulation (UK GDPR).

The insurance industry is particularly data rich. Insurers rely on the collection and processing of personal data for core activities such as assessing premiums, detecting fraud and handling claims. However, the complexities of the insurance industry and, in particular, its distribution chains, can result in practical challenges to compliance with data protection obligations.

Data protection principles

All controllers need to comply with the data protection principles. For a full overview, see Practice Note: Data protection principles.

The following principles may present specific challenges for insurers.

Data minimisation

Article 5(1)(c) UK GDPR states that personal data shall be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’. This is known as the principle of ‘data minimisation’.

Under this principle, it is important to ensure that the personal data being processed is adequate (sufficient to fulfil the stated purpose), relevant (has a

Popular documents