General Data Protection Regulation (GDPR)

RSA takes its responsibilities to safeguard the personal data of its customers and employees seriously. This page describes the actions we're taking to do that and to meet the requirements of GDPR

On this page you'll find:

  • A description of the actions we're taking to safeguard our customers' and employees' personal data
  • Frequently asked questions for customers

 

Context

On the 25 May 2018, the GDPR (General Data Protection Regulation) reforms and replaces the previous Data Protection Directive. It will provide a new set of standards regarding the treatment and protection of personal data.

Royal & Sun Alliance (RSA) Insurance plc takes its responsibilities to safeguard the personal data of its customers and employees seriously. To ensure that RSA would meet the requirements of GDPR we established projects in each of our impacted regions. These projects have been responsible for ensuring delivery of the new requirements and as such, our data practices have been updated throughout the business.

Purpose of processing

As an insurer, we need personal information to understand the level of insurance cover required. We use this information (e.g. name, address, telephone number and email address) to communicate with customers and if agreed, to send news and offers related to our products and services.

We need to use personal information to create quotes, allowing customers to buy insurance products from us. When buying a product from us, the information is needed to provide us with details about the items to be covered by the insurance policy (e.g. car make and model, your home).

We may need to check information submitted with external companies/organisations (e.g. the DVLA, the Motor Insurance Database, credit reference agencies and criminal conviction checks). When buying certain products, we will sometimes need to ask for special categories of personal data (e.g. driving offences for motor insurance, medical records in case of injury).

For claims against an insurance policy, we must collect information about the incident and this may be shared with other selected companies to help process the claim. If other people are involved in the incident, we may also need to collect additional information about them, which can include special categories of personal data (e.g. injury and health data).

GDPR requires us to meet certain conditions before we are allowed to use personal data. We rely on one or more of the following grounds:

  • Performance of contract: We need to use personal information in order to provide services under an insurance policy and perform our obligations under it (such as making payments in respect of a claim made under a policy).
  • Consent: In certain circumstances, we may need consent unless authorised by law in order to use personal information about the individual which is classed as "special categories of personal data".
  • Marketing Consent: Where we have your permission to do so, we will continue to let you know about offers and services we believe may be relevant. You will always the option to stop receiving these at any stage.
  • Necessity to establish, exercise or defend a legal claim: We may use personal information in either establishing our position, or defending ourselves in relation to a legal claim.
  • Compliance with a legal obligation: Where laws or regulations may require us to use personal information in certain ways.
  • Legitimate Interests: We may also process personal information where this processing is in our "legitimate interests". When relying on this condition, we are required to carry out a balancing test of our interests in using the personal information (for example, carrying out market research), against the interests customers have as citizen and the rights under data protection laws.

Records of Processing

RSA has a central record of all personal data processing activities including information on storage and flows to internal and external systems where personal information is used. We have established processes to keep this record up to date.

Data Retention

In anticipation of GDPR, we reviewed our internal rules on how long we can keep different categories of personal data. Our approach to retention of personal data helps us comply with the requirement to process data lawfully and not keep more personal data than we should.

Data Subject Rights

We have prepared new processes to satisfy data subject rights.

All data subject rights (access, erasure, portability, rectification, objection, restriction) have been considered with the updating of our processes and policies and now form part of our standard customer relationship framework.

Addressing of Individual Data Subject Rights requests

For individuals who want to exercise their rights, the following process applies:

  • Rectification can be handled directly via our customer relationship contact points.
  • All other rights are explained in our new fair processing notices published in May 2018.

The main points of contacts for customer rights are:

The Data Protection Officer
RSA Bowling Mill
Dean Clough Industrial Park
Halifax HX3 5WA
United Kingdom

Data Subject Rights

We have prepared new processes to satisfy data subject rights.

All data subject rights (access, erasure, portability, rectification, objection, restriction) have been considered when updating our policies and processes and now form part of our standard customer relationship framework.

Information Security

We have policies, standards and procedures in place which support the GDPR principles in relation to the protection of customer and employee data.

Data Breach Reporting

Requirements for incident reporting have been issued across our organisation. These include steps to take in the event of a data breach, and the appropriate parties to be notified.

Our processes are designed to ensure we are able to notify all required third parties as quickly as possible following the identification of a reportable data breach.

Any external information on a breach or suspected breach should be sent to:

Communicating Privacy Information

Published in May 2018, our new Fair Processing Notice details how we process personal data. 

Data Processing Locations

In certain cases an individual’s personal information may be sent to other parties outside of the European Economic Area (EEA) in connection with the purposes necessary to deliver our insurance services. We take all reasonable steps to ensure that individual personal information is treated appropriately, and in doing so may rely on applicable transfer mechanisms such as the EU-US Privacy Shield and the standard contractual clauses approved by the European Commission.

Data Protection Officer

RSA has appointed a Data Protection Officer. All non-customer queries in relation to data protection should be emailed to dataprotectionofficer@uk.rsagroup.com.

Royal & Sun Alliance Insurance PLC
St Marks Court
Chart Way
Horsham
West Sussex RH12 1XL
United Kingdom

ICO Registration Number: Z7619834

Partnership, Broker and Supplier Management

All queries from partners, brokers and suppliers should continue to be directed as per the existing communication channels and relationship managers.

 

Frequently asked questions for customers

Why is the GDPR being brought in?

GDPR is the reform that is upgrading the current Data Protection laws. All organisations processing personal data must comply with it. It will continue to apply after Brexit and it replaces the Data Protection Act 1998.

What are my new and enhanced rights under the GDPR?

Under GDPR the rights are:

  • the Right to Access;
  • the Right to Rectification;
  • the Right to Erasure/be Forgotten;
  • the Right to Restrict Processing;
  • the Right to Object to Processing; and the Right to Data Portability.

What does ‘personal data’ mean?

Personal data is information relating to an identifiable living individual. Whenever personal data is processed, collected, recorded, stored or disposed of it must be done within the terms of GDPR. To find out more information about your rights please go to https://ico.org.uk/for-the-public

Will GDPR affect the products I hold with RSA?

There is no change to your products as a result of this change. However, as a customer, you now have enhanced rights so you are able to take more control of your personal information.

Do I have to give my ‘consent’ for RSA to use my personal information under GDPR?

As an insurer we are allowed to use personal data where it is necessary for the contract of insurance. This contract acts as an alternative to customer consent.

We only rely on consent for marketing activities. Customers will be given an explicit opportunity to opt in or opt out of marketing consent and can change their mind at any time.

Should I be worried about GDPR as a customer?

No. GDPR is designed to enhance an individual’s rights and protection of their personal data. Customers will benefit from this increased protection and will be able to have more control of their information. Organisations will be held more accountable and be more transparent with the data they hold.

As a customer and an employee, should I be taking any action?

No. RSA will make required changes to comply with the new regulations and there is no need for customers or employees to take any specific action in relation to their own data.

Is there a regulator I can approach if I feel that my rights are not being exercised?

The regulator for GDPR is the Information Commissioner’s Office (ICO). To find out more, go to https://ico.org.uk/concerns/ or contact them by calling 0303 123 1113.

What should I do if I have a specific GDPR question?

For all other rights refer customers to the ‘Rights’ section in the Privacy Policy on the rsa.com website (live by 4 May 2018).

Alternatively you can write to:

The Data Protection Officer
RSA
Bowling Mill
Dean Clough Industrial Park
Halifax HX3 5WA
United Kingdom

You can also email us at

What can I do if I believe RSA has withheld information that I am entitled to?

If a customer feels they have not received a full and satisfactory response from RSA, they have the right to lodge a complaint to the ICO in the same manner as they can do today.