April Regulatory Bulletin
Welcome to our April Regulatory Bulletin. This month we cover GDPR and IDD and highlight some important actions you need to take now.
We have also created a handy GDPR action checklist you can download and print to help keep track of what you need to be doing now to ensure your are ready for the May 25th deadline.
GDPR – the clock is ticking
We are closely nearing the GDPR implementation date of 25 May 2018 and are working to ensure the way we hold, use, retain and transfer our data is GDPR compliant.
For more general information on what you need to be doing and considering please refer to the ICO website (external link).
What we are currently doing to ensure GDPR compliance may affect you or require you to take some action - please read the below to make sure you are up-to-date.
Third party relations
- We will be amending our TOBAs, these will be ready to be sent out to you shortly so please keep a lookout for these.
- Many of our delegated authority cover holders will already have received an amended contract to reflect the GDPR, with the remainder due to be sent in the coming days.
ACTION: It is important you take the time to review the amended terms and respond to us confirming your acceptance.
Fair Processing Notice (FPN)
ACTION: Hiscox will require you to update each policy schedule that you issue to contain the new Hiscox short form FPN.
Data subject rights
New rights for individuals
Individuals will have increased rights to request access to their data, to ask it be erased, or to limit its use. All with specific time limits for response.
What it means for you:
- In the event Hiscox receive a legitimate data subject request for an individual whose data you have processed on our behalf, we may contact the person specified within your contract as the business representative
- Where the right to access, to be forgotten, rectification, or restriction are invoked, we may ask you to action the request in relation to the data you hold on the individual
- Requests to you need to actioned within 14 days of receipt, with confirmation to Hiscox within this timeframe
- If you are unable to action the request for any reason, Hiscox must be made aware immediately to allow us to instigate the appropriate protocols
- If you receive a request direct from the data subject you must notify us as soon as possible and within 24 hours, providing the necessary information for us to respond within regulatory timeframes
- If you are the data controller, we ask that you notifity us within 24 hours and respond within required timeframes, providing us with a copy of your response
Click here (external link) to visit the ICO website for more information about individuals rights under the GDPR.
Hiscox is making some changes to the way we communicate to ensure the continued protection of our customer’s personal data.
Hiscox protects its emails by using what is called Transport Layer Security’, or TLS, to protect emails, both inbound and outbound. This is convenient for everyone as all the protection happens in the background without you having to do anything further. However, the level of security depends on the receiving server, so encryption cannot be guaranteed unless it is enforced. Where it is supported, enforced TLS can be adopted by both yourself and Hiscox which will guarantee encryption every time. Provided TLS is supported by your email servers this is quick and easy to implement.
ACTION: Contact Fran Varley at uk&[email protected] with the subject line "Personal data encryption" requesting to make arrangements to enforce encryption and ensure all our email communications are encrypted. Please provide your contact details and preferred method of contact so we may email or call you back.
There are occasions when we might want to add some additional protection to our data, for example when we are sharing sensitive (or special category) data. By May 2018, where Hiscox regularly share sensitive data we will be implementing secure messaging. This is unlikely to affect the majority of you but where it does, it means that you will receive a notification email and you will simply enter a password to access the message. You’ll be able to reply and send us secure messages too.
ACTION: If you share sensitive data with us and would like to use our secure message facility, please contact Fran Varley at uk&[email protected] with the subject line "Secure message facility" to make arrangements to set up secure messaging. Please provide your contact details and preferred method of contact so we may email or call you back.
Large volumes of data
We have now contacted many of you to transfer you to the more secure Enhanced File Transfers (EFT) for Bordereau transfers. EFT is a secure method of transferring large files can be implemented quickly and easily. If you have not yet been contracted you can expect to be so by the end of April. This is only applicable to those currently sending Bordereaux using email.
To discuss any of the above further or to arrange your data transfer mechanisms please contact:
Fran Varley, GDPR business analyst, UK & Ireland
Email: uk&[email protected]
The (delayed) Insurance Distribution Directive
- You will probably be aware that the IDD implementation date has been delayed from 23rd February 2018 to 1st October 2018. This has been confirmed by HM Treasury at a UK level, but isn’t likely to be officially confirmed by the EU until later in the year.
- Please make sure you check your respective financial services regulator’s website for any guidance, updates, or final rules.
The FCA website for the UK www.fca.org.uk (external link)
The Central Bank of Ireland for Ireland www.centralbank.ie (external link)
Should you have any questions or wish to discuss any of the above please email us at uk&[email protected]