We explore the benefits of a control-based approach to data protection. How does it contribute to a secure and compliant environment? And what new approaches have recently been approved in the UK?
Insurance brokers are entrusted with a wealth of personal data, a responsibility that cannot be taken lightly. As gatekeepers of sensitive information, they must navigate the complex landscape of regulation with the utmost diligence.
Data is managed in multiple sources: policy administration, claims management and CRM. So a robust data protection strategy is not just an ICO mandate but a cornerstone of consumer trust and industry integrity.
The EU General Data Protection Regulation (GDPR) significantly raised the stakes following its launch in May 2018, emphasising the need for robust data protection practices. It was adopted as the UK GDPR with minimal tweaks post-Brexit. It brought processors under the law for the first time, extended breach notification obligations beyond telcos and ISPs to all controllers, and introduced large reputational and financial risk from failure to comply.
But the GDPR is a long and complex law. So the lack of a clear, implementable proxy for compliance teams to work against creates challenges for broking firms. Without a real understanding of the processes and procedures needed to meet requirements, brokers can’t be confident about achieving and maintaining compliance.
A controls-based approach to the GDPR is developing to address these issues. A controls framework provides management and operational teams with a clear set of requirements that can be measured and tested.
Benefits of a controls-based approach
This approach has long been adopted in the world of security, with well-known standards such as ISO 27001, SOC2 and Cyber Essentials. These provide a structured framework for achieving compliance and the key benefit of visibility and demonstrability of compliance, across firms.
Control testing follows a pre-defined process and results can be summarised to provide robust governance reporting to boards, departments and specialist teams that are responsible for compliance. It offers one common voice for the compliance programme.
Audits play a crucial role in assessing compliance posture. Controls-based frameworks make audits more effective by offering clear documentation of implemented controls. Internal and external auditors can easily check that the necessary safeguards are in place.
Firms can demonstrate their commitment to compliance through well-documented control procedures. This transparency not only satisfies regulatory expectations but also builds trust with stakeholders.
This approach is expanding in the world of privacy, with controls covering aspects such as data access, breach notification, consent management and processing activities management.
The framework landscape
There are many frameworks on the market that address data security, starting with frameworks and benchmarks created by vendors. The high bar is set by ISO27001, with some alternatives that provide easier entry through IASME Assured and Cyber Essentials.
But these are security standards and, while security is fundamental to privacy, it is only one of the GDPR’s seven principles. The other six have nothing to do with security.
ISO 27001 does have a separate extension focussed on Privacy: ISO 27701. But this isn’t, and is unlikely to become, a formally approved standard for the GDPR. SOC2 can – but does not need to – cover privacy. And, again, SOC2 is not and is unlikely to become a GDPR standard.
These standards can certainly be influential in purchasing decisions and demonstrating overall privacy compliance, and should be part of the decision-making process. But there are benefits of using a certification scheme adopted by data protection authorities under Article 42 of the UK or EU GDPR.
Regulatory recognition
Certification under an approved scheme is highly valued by regulators and brings certain statutory protection and regulatory risk benefits.
The GDPR text refers to the establishment of approved certifications as being “for the purpose of demonstrating compliance” with its obligations, from data protection by design to security and supporting transfers.
Brokers should note that compliance with an approved certification is a factor that regulators must take into account when considering whether to issue a fine and, if applicable, how much that fine should be.
Unapproved standards such as SOC2 and ISO 27701 do not provide these benefits.
ICO-approved certifications
Until recently, the ICO had approved a small number of very niche control frameworks under Article 42 UK GDPR. That changed early this year with the approval of a pan-GDPR framework for the legal industry and their processors relating to the protection of client data: LOCS:23.
While only law firms, other legal services providers, and their processors can be certified under LOCS:23, it is a pan-GDPR standard approved by the UK ICO. This means it provides an influential controls-based standard that can easily be applied by other industries, including financial services.
Indeed, the creator of LOCS:23 has a second standard, currently in the UK ICO’s Article 42 approvals process, focussed on the financial services industry, from insurers to consultants, banks to funds. This takes the same approach as, and has identical controls to, LOCS:23. Approval is expected later this year.
Commercial advantages
Beyond regulatory compliance, a controls-based approach offers many significant commercial benefits:
- Competitive edge: Firms certified under recognised schemes signal their commitment to data protection. This can be a differentiator in a competitive market. Clients and partners value firms that prioritise privacy and security.
- Client confidence: Demonstrating compliance through controls reassures clients that their data is in safe hands. Trust is a valuable currency, and compliance efforts contribute to building strong client relationships.
- Risk mitigation: By implementing controls, firms reduce the risk of data breaches and associated penalties. Proactive compliance measures prevent costly legal battles and reputational damage.
So a controls-based approach empowers broking firms to navigate the complexities of data protection compliance effectively. By embracing clear controls, firms not only meet legal requirements but also build a demonstrable culture of privacy and trust. And by adopting a certification approved under Article 42 GDPR, they also gain key regulatory benefits.
To find out more on this topic, please contact Phil Broadbery.