IDD and GDPR – what brokers need to know

Compliance Image

In early 2018 some key changes come into force that will affect how the insurance industry sells its products and communicates with its customers.

The Insurance Distribution Directive (IDD) and the General Data Protection Regulation (GDPR) are both effective in the first half of 2018, and will bring the need for changes by both brokers and insurers in order to be compliant.

Below we outline what these are and what the changes mean for brokers.

The Insurance Distribution Directive (IDD)

What is it?

The Insurance Distribution Directive (IDD) replaces the Insurance Mediation Directive (IMD). The IDD aims to harmonise the rules around the selling of insurance and increase transparency for customers.

This directive from the EU will introduce a set of technical standards that brokers and insurers will need to observe and comply with from the implementation date of  23rd February 2018.  

What are the changes?

The key changes relate to the following:  

  1. Training and competency: Front-line sales staff will need to evidence 15 hours of relevant insurance CPD training annually. Each of these staff will also need to be regularly checked that they have not been convicted of fraud, dishonesty or acts of financial crime.


  2. Remuneration: Brokers will need to inform customers about any fees that may apply to their policy and if their staff are sales incentivised when selling insurance products.


  3. Product governance: Products must be regularly reviewed and the intended market for these products clearly understood, which in most circumstances is conducted by ERS.


  4. Documentation: The introduction of the new Insurance Product Information Document (IPID) – a summary document providing the customer with very specific information about the insurance cover that they have bought. These have now been submitted to Software Houses in preparation for policies effective from 23rd February 2018.


What do you need to do?

You should now be preparing for the changes mentioned above. For more information or support please visit the IDD consultation page of the FCA website. If you have any questions for us then please email or speak to your Business Development Executive.

What are we doing?

Our preparations for implementing the IDD requirements are progressing based on the current guidance from the FCA. We will however monitor and adapt our implementation to ensure compliance in response to the outstanding consultation papers from the FCA.

Additional Information

The ECON committee of the European Parliament recently called on the European commission to delay the implementation of the IDD, but in the meantime we are progressing based on meeting the 23rd February 2018 deadline.

The requirements of IDD are not negated by Brexit and will still apply in spite of Britain's decision to leave the EU.  


What is it?

The GDPR creates new legal obligations around data collection and distribution in order to better protect the rights of individuals and their data. It will replace the current Data Protection Act (DPA).

Under GDPR organisations will need to have more control over this data, including why it’s held and how long for.

As both controllers and processors of personal data the rules will apply to insurers, brokers and any suppliers that process data they control. There will also be financial penalties for non-compliance.

The GDPR comes into force on 25th May 2018.


What are the changes?

Under the new GDPR brokers and insurers will need to comply with the following:

  • Have a legal basis for processing personal data – Personal data should only be collected for specific and legitimate purposes

  • Locating information - Documenting any personal data held and who it is being shared with. A recent Computer Weekly article includes some useful information about keeping track ofcustomer data

  • Data Retention - Retaining personal data only as long as necessary to fulfil the purpose it was collected for. Further detail on data retention can be found on this site dedicated GDPR information site

  • Accuracy – Ensuring customers’ personal data is accurate and kept up-to-date, and corrected or deleted without delay when inaccurate. This article contains more some more information on data accuracy and the rights of individuals

  • Consent Explicit consent must be obtained when sending customers correspondence unconnected to their policy. This includes things like marketing materials which won’t be permitted unless the business can prove that a customer has ‘opted in’ to receive them. This article contains some useful considerations around consent

  • Subject Access Requests – More information will need to be disclosed as part of a subject access request and timescales will reduce from 40 days to a month. Some more guidance on managing Subject Access Requests post GDPR is available on the IT governance website

  • Reporting - The ICO must be informed within 72 hours of a company being aware of any data breach. Failure to do so can result in fines of up to 4% of annual turnover. More information on reporting data breaches can be found on the ICO blog

  • Data Protection Impact Assessments – Privacy Impact Assessments of existing data processing activities will be required and the design of any new systems or processes must be developed with privacy in mind. Further information on impact assessments can be found on the ICO blog 

What do you need to do?

You will need to get ready to demonstrate adherence to these rules from May 2018. This is likely to require a number of process checks, changes and improvements as well as some new ones, within your business to ensure compliance; from changing your privacy notices to considering how you will obtain the consent needed to send marketing or other promotional material. More information is available on the ICO website.

What are we doing?

We have a dedicated internal team, which is currently working to understand and progress the various requirements and impacts of the new rules. We will keep you updated as this work develops with a view to sharing more detail over coming months.

We are also preparing new Terms of Business Agreements reflecting new data protection obligations in more detail.  We intend to start distributing these early in the new year.