April Regulatory Bulletin

Welcome to our April Regulatory Bulletin. This month we cover GDPR, IDD and Brexit, plus highlight some important actions you need to take now.

We have also created a handy GDPR action checklist you can download and print to help keep track of what you need to be doing now to ensure you are ready for the May 25th deadline. 

GDPR – the clock is ticking 

We are closely nearing the GDPR implementation date of 25 May 2018 and are working to ensure the way we hold, use, retain and transfer our data is GDPR compliant.

For more general information on what you need to be doing and considering please refer to the ICO website (external link).

What we are currently doing to ensure GDPR compliance may affect you or require you to take some action - please read the below to make sure you are up-to-date. 

Third party relations

  • We will be amending our TOBAs, these will be ready to be sent out to you shortly so please keep a lookout for these.
  • Many of our delegated authority cover holders will already have received an amended contract to reflect the GDPR, with the remainder due to be sent in the coming days.

ACTION: It is important you take the time to review the amended terms and respond to us confirming your acceptance.

Fair Processing Notice (FPN)

Transparency of how we use data

All Hiscox Privacy Notices are being updated to ensure that we are transparent about what data we use, how we use it and who we share it with. We need to ensure that this gets to any individual whose data we handle.

What it means for you:

  • Where you collect data on our behalf you must ensure that our Privacy Notices (alongside your own where applicable) are provided to the person whose data you are collecting e.g. upon notification of a claim
  • A copy of our short form Privacy Notice is available for your use here
  • Click here (external link) to see the ICO guidelines on ‘Right to be Informed’
  • For Delegated Authorities, we will be communicating to you regarding the new Hiscox short form FPN from mid-April. This new short form FPN will need to replace any existing form of FPN / privacy policy you currently use. 

ACTION: Hiscox will require you to update each policy schedule that you issue to contain the new Hiscox short form FPN.

Data subject rights

New rights for individuals

Individuals will have increased rights to request access to their data, to ask it be erased, or to limit its use. All with specific time limits for response. 

What it means for you

  • In the event Hiscox receive a legitimate data subject request  that requires your action, we will contact the person specified within your contract as the business representative with any required action
  • Requests to you need to be actioned within 14 days of receipt, with confirmation to Hiscox within this timeframe
  • If you are unable to action the request for any reason, Hiscox must be made aware immediately
  • Where you process data on our behalf, if you receive a request directly from the data subject you must notify us within 1 working day,  providing the necessary information for us to respond within regulatory timeframes

Click here (external link) to visit the ICO website for more information about individuals rights under the GDPR. 

Data Transfer

Hiscox is making some changes to the way we communicate to ensure the continued protection of our customer’s personal data. 

Personal data
Hiscox protects its emails by using what is called Transport Layer Security’, or TLS, to protect emails, both inbound and outbound. This is convenient for everyone as all the protection happens in the background without you having to do anything further. However, the level of security depends on the receiving server, so encryption cannot be guaranteed unless it is enforced.  Where it is supported, enforced TLS can be adopted by both yourself and Hiscox which will guarantee encryption every time. Provided TLS is supported by your email servers this is quick and easy to implement.

ACTION: Contact Fran Varley at uk&[email protected] with the subject line "Personal data encryption" requesting to make arrangements to enforce encryption and ensure all our email communications are encrypted. Please provide your contact details and preferred method of contact so we may email or call you back. 

Sensitive data
There are occasions when we might want to add some additional protection to our data, for example when we are sharing sensitive (or special category) data. By May 2018, where Hiscox regularly share sensitive data we will be implementing secure messaging. This is unlikely to affect the majority of you but where it does, it means that you will receive a notification email and you will simply enter a password to access the message. You’ll be able to reply and send us secure messages too.

ACTION: If you share sensitive data with us and would like to use our secure message facility, please contact Fran Varley at uk&[email protected] with the subject line "Secure message facility" to make arrangements to set up secure messaging. Please provide your contact details and preferred method of contact so we may email or call you back. 

Large volumes of data

We have now contacted many of you to transfer you to the more secure Enhanced File Transfers (EFT) for Bordereau transfers. EFT is a secure method of transferring large files can be implemented quickly and easily. If you have not yet been contracted you can expect to be so by the end of April. This is only applicable to those currently sending Bordereaux using email.

To discuss any of the above further or to arrange your data transfer mechanisms please contact:

Fran Varley, GDPR business analyst, UK & Ireland
uk&[email protected]

The Insurance Distribution Directive

The IDD comes into force in just over 7 months and it is imperative that you make the necessary changes in order to be compliant ahead of October 2018.  Our March Regulatory Bulletin highlights some key areas that no doubt aware of, please review this page for further information.

  • You will probably be aware that the IDD implementation date has been delayed from 23rd February 2018 to 1st October 2018. This has been confirmed by HM Treasury at a UK level, but isn’t likely to be officially confirmed by the EU until later in the year. 
  • Please make sure you check your respective financial services regulator’s website for any guidance, updates, or final rules.

The FCA website for the UK www.fca.org.uk (external link)

The Central Bank of Ireland for Ireland www.centralbank.ie (external link)

Should you have any questions or wish to discuss any of the above please email us at uk&[email protected]


As highlighted last month's update, as a result of the UK’s decision to leave the European Union, we are making some necessary changes to our business structure to ensure continuity of cover to all our customers with European risks. Brexit is structural not strategic for Hiscox, so in most cases you should see and feel very little change from us, if any at all. 

A key implication of Brexit is the loss of ‘passporting rights’ which allow Hiscox to conduct cross-border business throughout the European Economic Area (EEA) either directly from the UK or through our branch offices across Europe. Hiscox currently operates through an insurance company (Hiscox Insurance Company Limited), an agency (Hiscox Underwriting Limited) or via Lloyd’s of London, all of which are registered in the UK and will therefore lose their passporting rights.

Our priority is to ensure we can continue to provide products and services to policyholders with EEA risks; what that looks like will vary slightly depending on which part of the business you work with.

We will continue to refine our plans further over the coming months, particularly as more becomes known about Brexit from the UK government and as we all get more clarity over a transition period.

Want more? 

You can access all our previous Regulatory Bulletins here