GDPR for Insurance Brokers: How to Handle Policyholder and Claims Data Compliantly

Insurance brokers occupy a uniquely sensitive position under GDPR. You handle data that touches people's health, finances, criminal histories, and life circumstances — often all at once. A life insurance application, a motor fleet renewal, or a professional indemnity claim can involve more special category and near-special-category data than most sectors encounter in a year.

This guide is written for independent insurance brokers and small insurance firms operating in the UK and EU. It covers lawful bases, processor relationships, claims handling, FCA retention obligations, marketing rules, and a practical compliance checklist.

---

Why Insurance Data Is Especially Sensitive

Not all personal data is equal under GDPR. The Regulation creates a hierarchy of sensitivity, and insurance data sits near the top.

Special Category Data You Almost Certainly Process

Health data is the most common special category data in insurance. Life insurance, health insurance, income protection, critical illness, and travel insurance all require detailed health disclosures. Medical reports for claims, GP summaries, hospital discharge letters — all of this is Article 9 special category data requiring explicit consent or a Schedule 1 condition under UK GDPR.

Criminal convictions and offences data appears in home insurance ("have you ever been convicted of fraud?"), motor insurance ("any motoring convictions?"), and professional liability. This data is governed by Article 10 GDPR, which restricts processing to those with official authority or specific legal authorisation.

Near-Special-Category Data: Financial Vulnerability

Beyond the formal Article 9 categories, insurance data frequently reveals financial vulnerability — a status the FCA's Consumer Duty regime treats with heightened care, even where GDPR doesn't explicitly class it as special category.

A policyholder who can only afford minimal cover, who has claims outstanding, or who has previously been declined or loaded carries sensitive financial profile data. The combination of payment history, claims behaviour, and cover choices can reveal a great deal about a person's financial circumstances.

Treat this data with special category discipline even where GDPR doesn't formally require it. The FCA certainly expects it.

---

Lawful Basis: Getting It Right for Each Processing Activity

One lawful basis does not cover all your processing. You need to map each activity to the right basis.

Contract (Article 6(1)(b))

Processing that is necessary to arrange and administer a policy can rely on contract. This covers:

• Collecting policyholder details to provide a quote
• Administering the policy throughout its term
• Handling mid-term adjustments
• Processing renewals where there is a continuing contract

Important: "Necessary for contract" is narrower than it sounds. It must be genuinely necessary — not just convenient. Sharing data with third-party marketing partners is not necessary for the insurance contract.

Legal Obligation (Article 6(1)(c))

FCA regulatory requirements provide a lawful basis for much of your compliance-driven processing. Anti-money laundering checks, sanctions screening, FCA conduct reporting, and certain record-keeping obligations rely on this basis.

Legitimate Interests (Article 6(1)(f))

Legitimate interests can support fraud prevention, internal analytics, and some B2B marketing — but requires a Legitimate Interests Assessment (LIA) for each use case. It cannot justify processing special category data.

Explicit Consent (Article 9(2)(a)) for Special Category Data

Where you process health data or criminal convictions data, you almost always need either:

• Explicit consent under Article 9(2)(a), or
• A Schedule 1 DPA 2018 condition (for employment-related health processing or insurance purposes under paragraph 13)

Paragraph 13 of Schedule 1 to the UK Data Protection Act 2018 specifically enables processing of health data for insurance purposes — but requires an appropriate policy document to be in place, and the processing must be necessary for the insurance activity. You cannot rely on Schedule 1 as a general licence.

In practice: For most health data collected during underwriting and claims, maintain both explicit consent and a Schedule 1 paragraph 13 policy document as belt-and-braces protection.

---

Broker Management Systems as Data Processors

Applied Epic, Acturis, SSP, and similar broker management systems (BMS) hold some of the most sensitive data in your business — full policyholder records, claims histories, medical disclosures. Under GDPR, they are your data processors.

This has direct legal consequences:

• You must have a Data Processing Agreement (DPA) with each BMS provider before placing personal data into the system. Most reputable vendors provide these as standard — check that yours is in place and covers Article 28 requirements.
• The DPA must specify what the processor can do with the data, where it is stored, and what happens to it when the contract ends.
• You remain the data controller — responsible to policyholders for how their data is handled, even when technical processing is carried out by the BMS vendor.
• Audit your BMS vendor's sub-processor list. If Acturis uses Amazon Web Services, and AWS stores data in the US, you need appropriate safeguards for that international transfer.

Do not assume vendor compliance equals your compliance. A BMS being ISO 27001 certified is reassuring but does not substitute for a valid DPA.

---

Sharing Data with Insurers and Lloyd's Markets

The controller/processor distinction becomes more complex when you share policyholder data with insurers and Lloyd's syndicates.

Insurer as Independent Controller

In most arrangements, the insurer (or Lloyd's syndicate) is an independent data controller for its own processing — underwriting decisions, policy administration, reserving, claims settlement. You and the insurer each determine your own purposes and means.

This means:

• You each need your own lawful basis for the data you process
• You each bear independent compliance obligations to the policyholder
• Your privacy notice must disclose that data is shared with insurers as independent controllers (not just processors)

Where a Joint Controller Arrangement May Apply

If you and an insurer jointly determine the purposes and means of processing — for example, in a co-branded product with shared data infrastructure — you may be joint controllers under Article 26. This requires a formal arrangement setting out your respective responsibilities to data subjects. These arrangements are uncommon in standard broker-insurer relationships but worth legal review if your commercial arrangements are integrated.

Coverholder and MGA Arrangements

If you operate as a coverholder or within an MGA structure, your data flows are more complex. The Lloyd's market has its own data protection guidance. Ensure your binding authority agreements address data protection obligations explicitly.

---

Claims Handling and Sensitive Claims Data

Claims files are among the most sensitive documents in insurance. A motor injury claim may contain medical reports. A household claim may involve police reports. A professional indemnity claim may include privileged legal correspondence.

Medical Reports and Health Data

When you obtain medical reports during a claims investigation, you are processing special category health data. You need:

• Explicit consent from the claimant before approaching their GP or specialist, or
• Reliance on a Schedule 1 DPA 2018 condition (paragraph 13 for insurance or paragraph 10 for preventing/detecting unlawful acts in fraud investigations)

Medical reports must be stored securely, access-restricted to staff who need them for the specific claim, and retained only as long as the claim (and potential litigation) requires.

Legal Proceedings and Privileged Data

Correspondence with solicitors, counsel's advice, and without-prejudice negotiations are legally privileged and commercially sensitive. They still contain personal data subject to GDPR.

The legal claims basis (Article 9(2)(f)) permits processing special category data when necessary for the establishment, exercise, or defence of legal claims. This is a key ground for insurers defending disputed claims — ensure your privacy notices and data retention policies reference it.

Third-Party Claimant Data

Where a third party makes a claim against your policyholder (a motor liability claim, for example), you are processing data about a person who is not your customer and who has not given you their data directly. GDPR still applies. You must:

• Include third-party claimants in your privacy notice (via a layered notice or a standalone claimant privacy notice)
• Process their data only for legitimate claims handling purposes
• Give them access to their data on request

---

FCA Retention Requirements vs. GDPR Storage Limitation

GDPR's storage limitation principle requires you to delete personal data once you no longer need it. But FCA rules require you to retain records for defined periods. How do you reconcile these?

The principle: Regulatory retention requirements constitute a legal obligation under Article 6(1)(c), overriding the default data minimisation principle for the duration of the required retention period. After that period expires, you must delete the data — you cannot simply hold it indefinitely because "we might need it."

Key FCA retention periods for brokers:

• Client communications and suitability records: 5 years from the date of the service (COBS 9.5 / ICOBS 2.4)
• Complaints records: 3 years from the date of the complaint
• Anti-money laundering records: 5 years from the end of the business relationship
• Premium finance records: 5 years

In practice: Document a retention schedule that maps each data category to the applicable FCA (or other legal) retention period. Apply retention holds to relevant records in your BMS and document management system. At the end of each retention period, the data must be deleted or anonymised — not simply marked inactive.

A retention schedule that says "we keep everything for 7 years to be safe" is not GDPR-compliant. You need a data-driven justification for every category you retain.

---

Marketing to Existing Policyholders at Renewal

The renewal is the most commercially important marketing moment for a broker. GDPR and PECR (the Privacy and Electronic Communications Regulations) provide a pathway — but it has conditions.

The Soft Opt-In for Renewal Marketing

Under PECR Regulation 22(3), you can email or SMS an existing policyholder about similar products or services without separate marketing consent if:

1. You obtained their contact details during a prior sale (the original policy placement)
2. You are marketing similar products or services — renewal of the same policy class qualifies; cross-selling a completely unrelated product line may not
3. You gave them a clear opportunity to opt out at the point of collection
4. You include a clear, functional opt-out in every subsequent message

Renewal of the same policy class clearly qualifies. A home insurance broker contacting an existing home insurance policyholder about their renewal is the paradigm case.

Cross-selling at renewal is more complex. Adding motor insurance to a home insurance renewal communication is likely fine if you have a reasonable prior relationship covering both. Promoting a new travel product to a life insurance policyholder is a greater stretch — and requires careful assessment.

Consent for Electronic Marketing Where Soft Opt-In Does Not Apply

If the soft opt-in conditions are not met — or if you have not clearly offered an opt-out opportunity — you need specific, freely given, informed consent for electronic marketing. This is a higher bar and harder to obtain retrospectively.

---

Prospecting for New Business: Consent vs. Legitimate Interests

For personal lines insurance (consumers), the rules are strict:

• Cold email and SMS marketing to individuals requires consent under PECR. There is no legitimate interests route for direct marketing by electronic means to individuals.
• Cold calling to consumers is regulated by TPS registration — you must screen against the Telephone Preference Service.
• Postal marketing can rely on legitimate interests, but requires a balancing test.

For commercial lines (businesses and sole traders):

• The corporate soft opt-in applies: you can email business contacts about relevant professional products without prior consent, provided you give an opt-out and the product is relevant to their business. Sole traders are treated as individuals — the individual soft opt-in rules apply.
• LinkedIn prospecting and other social selling to B2B contacts falls outside PECR (it is not "electronic mail") but is subject to GDPR's data processing rules — you need a lawful basis for processing their contact data.

Legitimate interests can support prospecting activity in commercial insurance where you can demonstrate that your business interest is proportionate and does not override the interests of the individual being contacted. An LIA is required, and you must honour opt-outs immediately.

---

Compliance Checklist for Insurance Brokers

Lawful Basis and Documentation

• [ ] Lawful basis identified and documented for every distinct processing activity (quoting, underwriting, claims, marketing, analytics)
• [ ] Explicit consent (or Schedule 1 DPA 2018 paragraph 13 policy document) in place for health data processing
• [ ] Article 10 processing of criminal convictions data covered by appropriate legal authority
• [ ] Legitimate Interests Assessments documented for any LI-based processing
• [ ] Records of Processing Activities (ROPA) maintained and kept up to date

Data Processor Management

• [ ] DPAs in place with all BMS providers (Applied Epic, Acturis, SSP, etc.)
• [ ] DPAs in place with all other data processors (cloud storage, email platforms, document management systems)
• [ ] Sub-processor lists reviewed and international transfer safeguards verified
• [ ] DPAs reviewed when vendor contracts are renewed or materially changed

Privacy Notices

• [ ] Privacy notice covers all processing activities, lawful bases, retention periods, and data sharing
• [ ] Insurers and Lloyd's markets identified as independent controllers (not just "third parties")
• [ ] Third-party claimants covered (either in main privacy notice or separate claimant notice)
• [ ] Privacy notice accessible at every point of data collection (website, proposal forms, claims forms)

Claims Handling

• [ ] Explicit consent or Schedule 1 DPA 2018 condition in place for obtaining medical reports
• [ ] Claims files access-controlled to relevant staff only
• [ ] Legal proceedings data handled under Article 9(2)(f) legal claims ground
• [ ] Third-party claimant privacy notices issued at first contact

Retention

• [ ] Retention schedule documented with legal or regulatory justification for each period
• [ ] FCA retention requirements mapped (5 years for client records, 3 years for complaints, 5 years for AML)
• [ ] Data deletion or anonymisation process in place and applied consistently
• [ ] Retention holds applied in BMS and document management system

Marketing

• [ ] Soft opt-in conditions documented for renewal and similar-product marketing
• [ ] Opt-out offered at point of collection and in every subsequent marketing communication
• [ ] Suppression list maintained and applied consistently
• [ ] TPS screening in place for outbound calls to consumers
• [ ] Separate consent records maintained where consent (not soft opt-in) is relied upon

Data Subject Rights

• [ ] Process documented for responding to Subject Access Requests within one month
• [ ] Process for handling deletion requests, noting where legal retention overrides erasure
• [ ] Process for handling access requests from third-party claimants
• [ ] Staff trained to identify and escalate data rights requests

---

Run a Compliance Scan on Your Brokerage Website

Your website is often the first compliance gap — tracking pixels, analytics tools, and contact forms frequently process personal data without a clear lawful basis or adequate disclosure. Custodia can scan your brokerage website to identify what data is being collected, flag compliance issues, and generate a plain-English report.

Run a free scan at https://app.custodia-privacy.com/scan — no signup required.

---

This post provides general information about GDPR compliance for insurance brokers. It does not constitute legal advice. For advice specific to your regulatory position, consult a qualified data protection solicitor or the ICO's guidance for financial services firms.