GDPR - DPA checks
Ask one data protection questions from each of the following lists
- Email Address
- Date of Birth
and
- Vehicle Model/Registration,
- Phone number
- Last year’s premium
- Occupation
- Postcode
GDPR - Second call DPA checks
On most occasions yes, we should check data protection on every call.
Some exceptions to this apply in specific situations for some business areas. If they are applicable to you will be made aware of them by your line manager.
GDPR - Nominee MTA:
First check if they are nominated, if not do not proceed any further. If they are proceed adhering to the current nomination rules. Remember you cannot arrange a new policy, transfer to another insurer or process a cancellation for a nominee.
GDPR - Power of attorney
We should not be discussing policy details with anyone who isn’t the policyholder, a nominee or has provided evidence they have authority to act on behalf of the policyholder (i.e. Power of Attorney). If you believe the circumstances may mean the policyholder is a vulnerable customer or there are exceptional circumstances, then you can refer the matter to your Manager/Group Compliance to consider what additional support we might be able to offer in line with our Vulnerable Customer policy.
GDPR - Nominee/Non-Nominee Payments
You can’t give any information out to the caller, however if they are able to provide sufficient information, including telling us the amount they wish to pay you can take the payment and advise that a letter would be sent to the policyholder to confirm this.
GDPR - Lapsed client contact
We are allowed to contact previous clients or those who had previously requested quotations as they had previously shown an interest in Stroll unless they have opted out. We will limit the timescale to within three years. If the customer asks that we should not contact them in future make sure to update their marketing preferences.
GDPR - Telephone confirmation of bonus to another broker
If the client has left authorsation for us to speak to their new insurer/broker and they pass DPA then NCB and claims history can be confirmed.
GDPR – Voicemails:
Do not disclose information other than who is calling and your contact details, you cannot go into detail especially if it’s something sensitive e.g. Don’t say “I’m ringing about an outstanding balance/debt”. If you were simply calling about a renewal, then it would be in order to simply state that is what the call is about.
e.g. “It’s Joan calling from Stroll about your insurance policy/previous insurance/upcoming renewal, can you please call me on 02893 123456.”
GDPR – accessing another policy or quote to obtain driver details
You cannot check for the person’s details and use them without their permission. Ask the caller to speak to the driver they want to add and confirm their information with them and offer to ring the client back. Alternatively, ring the person the client wants to have on their policy and ask for authorsation.
GDPR – surprise for daughter/son
We should not arrange cover without first speaking to the policyholder. In the instance of the vehicle being a surprise you may refer to the Insurer first and if they are willing to allow this and it is also referred to your Manager you may proceed. Additional measures such as getting a signed proposal form returned from the policyholder or arranging a follow up call can be considered.
GDPR – using someone else’s email address
We can allow this provided the policyholder or nominee has provided the email address (remember to check the spelling of the email address)
GDPR – Data Breach
Any suspected breach should be reported to Group Compliance immediately.
Ask the person who has received the documents in error to return the documents to us or dispose of them securely.
Ensure that the documents are re-issued to the correct policyholder.
Examples of personal data breaches:
Loss or theft of personal data or equipment (encrypted and non-encrypted devices) on which
personal data is stored, e.g. loss of paper record, laptop, iPad or USB stick
Inappropriate access controls allowing unauthorised use, e.g. sharing of user login details
(deliberately or accidentally) to gain unauthorised access or make unauthorised changes to
personal data or information systems
Equipment failure
Human error, e.g. email containing personal data sent to the incorrect recipient
Unauthorised disclosure of sensitive or confidential information, e.g. document posted to an
incorrect address or addressee
Unforeseen circumstances such as a fire or flood
Hacking attack
‘Blagging’ offences where information is obtained by deceiving the organisation who holds it
Insecure disposal of paperwork containing personal data
GDPR – Request for data to be deleted
We may not be able to delete their information as we likely to be required to hold it by our regulators, should this arise refer the details to Group Compliance to review. If the customers concern is with getting marketing then you should let them know we can update their marketing preferences so they do not receive any further marketing contact without the file being deleted.
GDPR – Data Subject Access Request (DSAR)
For details on dealing with DSARs check the DSAR Guide issued and available on the compliance intranet page. We have 30 days to complete DSAR requests.
In brief you should clarify with the client exactly what information they require. If the request is for documents the customer has already been sent before, such as their policy documents then this can be supplied as per the usual processes. This applies to 3rd parties appointed by the customer.
If it is for personal data not supplied as part of any normal processing such as call recordings or CCTV and then forward the request to Group Compliance.
GDPR – MID call for info
Ask for the caller to confirm the policy number and then complete data protection questions, e.g. vehicle registration number, date of birth etc. If they are able to provide this, then proceed to deal with them. Should you have any concerns then ask them to email their request.
GDPR – Where can our customers find our Data Protection Policy?
Advise the client that our Data Protection policy can be found on our website, this will explain what data we collect, what we use it for, who we share it with.
GDPR – selling data to third parties
We do not sell data. We will only ever use the client’s data to contact them about their policy with us or other offers we may have. We only share their data were its necessary to service their policy i.e. to the Insurer.
GDPR – why do we record our calls?
We have regulatory and contractual obligations that mean we will record all calls. If the caller isn’t happy with this you can advise that we have options to communicate by email and contact forms on our website if they prefer.
GDPR – Cancelling by email
Match the email the request for cancellation has come from to the email we hold on the customer account. Follow the cancellation process and ensure the necessary steps are taken and confirmation letters/emails/sms are sent.
GDPR – Live chat with prospects/quotes/noncustomers
Check the name and car reg to ensure it is the right info we are accessing. Make sure the right quote has been linked to the right person. The risk should be low as they have completed the quote and so if they suddenly start to ask for personal details this should be raised with a manager before any information is disclosed.