Is Property Owners business covered by GDPR?
As well as obvious elements such as contact details and DOB, the GDPR specifically defines Personal Data as including “one or more factors specific to the… economic, cultural or social identity of (a) natural person”. This will include the ownership, residential occupancy, management or commercial use of a building or business covered by a Property Owners policy or quote.
What is Personal Data?
Under GDPR, all businesses in Europe have a legal responsibility to protect the Personal Data they hold and process. Personal Data is any information related to a natural person (known as a ‘Data Subject’), that can be used to directly or indirectly identify the person.
This obviously includes name, contact details and date of birth but could also include two or more non-specific pieces of information that when combined, could identify specific individuals. Under GDPR, sole traders and some partnerships are considered to be natural persons, and while a limited company is not a natural person, information about a company (details of property owned or claims made for example), may help to identify a person such as an employee, director or tenant.
Sources What is personal data? https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
Determining what is personal data https://ico.org.uk/media/for-organisations/documents/1554/determining-what-is-personal-data.pdf
Will broker agents have to issue a Privacy Statement to each of their clients?
Yes. Each Data Controller has a duty to “make certain information available to the data subjects” (in the form of a privacy statement), at the point of collecting personal data from them. When Stride Underwriting arranges cover for a client of a broker agent, it becomes a joint Data Controller with the agent (as does the insurer) and both the Stride Underwriting privacy statement and that of the insurer must be presented with the client’s policy documents. This can be simplified by providing a link to a web page or downloadable PDF in each case. The Stride Underwriting privacy statement is linked to within our TOBA and can be downloaded separately here:
Why do I have to change how I email risk details to Stride Underwriting?
Under GDPR, “appropriate technical measures” must be used to protect Personal Data in your business, for example when storing or transmitting it to others. Standard unencrypted email is considered insecure within financial services, especially given the volume, sensitivity and level of detail of data held for the purposes of an insurance quotation. However, encrypted communications are considered secure, so we are rolling out the Mailock plug-in and portal to all our agents as a simple and free way of encrypting data exchanged between us.
GDPR FAQs for small organisations
Click here for the official Information Commissioners Office GDPR advice for small organisations.