Insurance brokers: How can you help your clients prepare for GDPR?

Risk in Context

GDPR and Beyond: Helping Your Clients to Prepare

Back in August, the UK Government published its Statement of Intent regarding the new UK Data Protection Bill.

The statement clarifies a number of things around the government’s plans to change the UK data protection landscape, and the implementation of the General Data Protection Regulation (GDPR) in particular.  More broadly, the government says the new data protection bill will bring the country’s data protection laws up to date and help to prepare it for the future, following its exit from the European Union (EU).

That new clarity as to the future of data protection in the UK gives us all an opportunity to help our clients to better understand the planned changes and prepare for them.

This short guide looks at what we now know, following the release of the Statement of Intent, before setting out some specific recommendations that are likely to be relevant and helpful for client businesses.

What we Now Know

The Data Protection Bill will repeal the UK Data Protection Act 1998 and bring EU law, including the GDPR, into UK law “in a way that as far as possible preserves the concepts of the Data Protection Act … while complying with the GDPR and Data Protection Law Enforcement Directive (DPLED) in full,” according to the document.

The Statement of Intent also indicates some of the derogations (or exceptions) in the GDPR that the UK will exercise, including:

  • Processing of criminal data: The GDPR only permits bodies vested with official authority to process personal data on criminal convictions and offences. The Bill aims to preserve continuity with the existing position and extend the right to enable organisations other than those vested with official authority to process data relating to criminal convictions and offences.
  • Automated decision-making: The government will ensure there are grounds for processing personal data by automated means where there are legitimate grounds for doing so and suitable safeguards in place.
  • Age of consent: The government will set the minimum age at which a child can consent to data processing to 13.
  • Exemptions for research: Significant exemptions will be introduced to allow universities, research establishments, and museums to continue to operate in a way that protects information but does not inhibit future innovation and discovery.

In news that will be particularly welcomed by UK and international businesses, the Statement of Intent states that the UK Government is “committed to ensuring the uninterrupted data flows” between the UK, the EU, and other countries around the world.


With greater certainty on the long-term impact of the GDPR on the UK after it leaves the EU, it is important that organisations continue their preparations for the GDPR, which will become applicable from 25 May 2018.

The ICO has provided guidance to help organisations with their preparations. In particular, your clients should:

  • Ensure all key people in their companies understand the GDPR.
  • Know what personal data their companies hold and the lawful basis on which they rely when using and storing it: They should keep in mind the more stringent consent requirements.
  • Check their privacy notices, policies, procedures, and other documentation are compliant with the new requirements.
  • Have plans in place to detect, report, and investigate data breaches.
  • Check whether they are required to appoint a data protection officer.

The new requirements may oblige your clients to make operational and IT changes, which take time and require investment. Proactive organisations can use this as an opportunity to improve their data management strategies in such a way as to enhance their data capabilities, which could in turn help them grow their businesses.

Peter Johnson
Senior Vice President, Marsh Risk Consulting

Marsh ProBroker’s parent company