Previously, we looked at the impact of the GDPR on the insurance industry in terms of consent, automatic profiling and exemptions. In this article, we look at whether postcodes constitute ‘personal data’ and sharing data with third parties.
The GDPR defines personal data as ‘any information relating to an identifiable person’ and that includes names and location data.
The Ordnance Survey definition of a postcode unit is “an area covered by a particular postcode”. Postcode units are unique references and identify an average of 18 addresses. Currently, the maximum number of addresses in a postcode is 100. There are over 77,000 postcodes with only one residential address and around 336,000 postcodes with less than five residential addresses. This might be perceived to be a problem if the data attached to that postcode can be deemed to be ‘personal’ and could be used to identify a particular individual.
There has so far been no guidance issued relating to the number of properties within a postcode deemed to be the level sufficient to safeguard the anonymity of individuals residing there when using any statistics or data relating to that postcode. Some statisticians often refer to a number as high as 30, though this number relates to something called ‘the Central Limit Theorem’ and is more to do with producing robust, reliable statistics and estimates of the mean rather than relating to privacy.
Time limits and erasure
The use of personal data should be limited to the “specific purpose” for which the processing is intended. This change is likely to impact the insurance industry which up to now has sought to hold on to personal data for as long as possible to maximise its potential use. Clearly, there are business reasons for keeping hold of customer data but Article 17 states that data subjects are entitled to have their personal data erased or forgotten if there is no longer a legal requirement to retain the data. It also states that the data subject has the right to request that personal data is erased without “undue delay” when the personal data is no longer necessary in relation to the purposes for which they were collected.
Sharing personal data with third parties
Insurers share data with industry bodies and platforms such as the Claims and Underwriting Exchange [CUE], the Insurance Fraud Bureau [IFB] and the Insurance Fraud Register [IFR] for the purposes of preventing fraud. The Regulation states that insurers will have to rigorously record and evidence how and why they are using and sharing data.
The ABI has been lobbying the government to pass legislation so that insurers can continue to use fraud indicator data and criminal conviction data.
With GDPR taking effect in less than 6 months, you will need to start thinking about the implications sooner rather than later to ensure you have everything in place to meet the May 2018 deadline.