Insurance companies collect more personal data about individuals than almost any other industry. Health histories, financial circumstances, driving behaviour, property details, criminal convictions, claims records, and intimate details about life events — all of it flows through insurers as a matter of routine business.
This creates a GDPR compliance environment that is genuinely complex. The intersection of sensitive data categories, automated decision-making, multi-party data sharing, fraud prevention obligations, and lengthy retention requirements makes insurance one of the most challenging sectors to get right under the regulation.
This guide covers the key GDPR obligations for insurance companies, brokers, and related businesses — from underwriting to claims handling to marketing.
The Data Insurance Companies Collect
Before getting into compliance obligations, it is worth mapping the range of personal data insurance businesses typically process:
Policyholder data: Name, address, date of birth, contact details, payment information, policy history.
Health and medical data: For life, health, income protection, and critical illness products — medical history, pre-existing conditions, prescribed medications, mental health history, genetic information.
Financial data: Income, assets, credit history, mortgage details, employment information — relevant to life insurance, payment protection, and underwriting risk assessment.
Driving records: Licence history, claims history, convictions, telematics data (speed, braking, mileage, time of day) for motor insurance.
Property data: Construction details, flood risk data, crime statistics for the area, contents valuations for home insurance.
Claims data: Details of incidents, injuries, losses, third-party information, medical reports, witness statements, correspondence with solicitors.
Criminal conviction data: Spent and unspent convictions are relevant to both underwriting risk and fraud assessment — this is a special category requiring specific handling.
Fraud-related data: Information shared with and received from fraud prevention databases such as the Insurance Fraud Register (IFR) and the Claims and Underwriting Exchange (CUE).
The breadth of this data makes comprehensive GDPR compliance non-negotiable — and the consequences of getting it wrong are serious. The ICO has issued significant fines to insurers for data breaches and inadequate security measures.
Special Category Data: Elevated Obligations
GDPR Article 9 identifies categories of data that carry heightened protection because of the particular risks their misuse creates. Several of these are routine in insurance:
Health data is the most significant. Life insurers, health insurers, income protection providers, and travel insurers all process health data as a core business function. This is not marginal — it is central to risk assessment and claims handling.
Genetic data may be collected or received in the context of life insurance medical underwriting, though the Genetics and Insurance Committee (GAIC) in the UK places restrictions on its use.
Criminal conviction data under Article 10 requires specific legal authorisation. For insurers, this typically comes via the Rehabilitation of Offenders Act (Exceptions) Order, which allows insurers to ask about spent convictions for certain insurance products.
To process special category data lawfully, you need both:
- A standard lawful basis under Article 6 (usually contract or legitimate interest)
- An additional condition under Article 9(2)
The most commonly applicable Article 9(2) conditions for insurers are:
- Article 9(2)(b): Processing necessary for carrying out obligations in the field of employment and social security law — relevant to group health and income protection schemes
- Article 9(2)(f): Processing necessary for the establishment, exercise, or defence of legal claims — important for claims handling
- Article 9(2)(g): Processing necessary for reasons of substantial public interest under Union or Member State law — used by fraud prevention schemes
- Article 9(2)(h): Processing for the purposes of preventive or occupational medicine, medical diagnosis, and the provision of health care — relevant to insurers working with medical underwriters
Insurers must document which Article 9(2) condition they are relying on for each category of health data processing. Vague references to "insurance purposes" are insufficient.
Lawful Bases for Insurance Processing
Most insurance processing is conducted under one of three lawful bases:
Contract (Article 6(1)(b)): Processing personal data to administer an insurance policy — underwriting, issuing documents, handling renewals, processing claims — is generally covered under contract performance or the necessary steps before entering a contract.
Legal obligation (Article 6(1)(c)): Anti-money laundering checks, sanctions screening, FCA regulatory reporting, and fraud reporting obligations to bodies like the Insurance Fraud Bureau (IFB) may be conducted under legal obligation.
Legitimate interest (Article 6(1)(f)): This is the most contested ground. Insurers regularly rely on legitimate interest for fraud prevention, data sharing with industry databases, marketing to existing policyholders, and risk analytics. Each legitimate interest assessment (LIA) must genuinely balance the insurer's interest against the policyholder's rights and expectations.
Consent is rarely the primary basis for insurance core processing — and for good reason. When consent is the only mechanism, the policyholder can withdraw it at any time, which would create significant operational problems for a policy-holder relationship. However, consent may be appropriate for specific marketing activities, particularly to non-customers.
Insurers should map each processing activity to a specific lawful basis and document it. Saying "we process your data for insurance purposes" is not a lawful basis — it is a description of business activity.
Automated Decision-Making and Risk Profiling (Article 22)
Insurance underwriting has always involved risk classification. GDPR's Article 22 adds significant constraints when this classification is automated.
Article 22 gives individuals the right not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects or similarly significant effects. An insurance decision clearly qualifies: being refused cover, being quoted a substantially higher premium, or having a claim denied based solely on automated processing triggers Article 22 protections.
What Article 22 requires:
When insurers rely on automated decision-making, they must:
- Tell policyholders that automated processing is taking place and explain the logic involved
- Give individuals the right to request human review of the decision
- Give individuals the right to contest the decision
- Not use automated processing to make decisions based on special category data unless they have explicit consent or the processing is authorised by law and suitable safeguards are in place
In practice, many insurers use automated systems for initial decisions (quote generation, straight-through claims processing) but retain human oversight for declinations, high-value claims, and complex underwriting cases. This is the right approach — and it should be documented.
Profiling-based pricing — particularly the use of consumer characteristics, behaviour data, and third-party data to set premiums — requires transparency. Policyholders should be able to understand in general terms what factors affect their premium, even if the precise algorithm is commercially sensitive.
The right to object: Under Article 21, individuals also have a broader right to object to processing based on legitimate interest. For profiling in an insurance context, this creates tension that needs to be addressed in privacy notices with a clear explanation of why the profiling serves a compelling legitimate interest that overrides individual objections.
Telematics and Black Box Insurance
Usage-based insurance (UBI) — telematics devices, smartphone apps, connected car data — creates a distinctive GDPR challenge. Insurers are collecting continuous behavioural data: location, speed, acceleration, braking, time of day, journey patterns.
This is personal data. When combined with other information, it can reveal sensitive inferences: where someone lives, where they work, their daily routine, their health (e.g., regular hospital visits), their social habits. It may also contain data about passengers who have not consented to anything.
GDPR obligations for telematics programmes:
- Consent or clear legitimate interest: The basis for collecting driving data must be explicit and clearly explained. Most telematics schemes rely on contract (the policyholder has agreed to UBI as a condition of the product) but this must be genuinely informed.
- Data minimisation: Collect the minimum data needed for the underwriting purpose. Continuous GPS tracking of every journey may be disproportionate if aggregate speed and braking data would suffice.
- Purpose limitation: Telematics data collected for underwriting pricing should not be repurposed for marketing or sold to third parties without a separate basis.
- Data Protection Impact Assessment (DPIA): Large-scale processing of location data is one of the ICO's listed categories that requires a DPIA before processing begins.
- Retention: Driving data should not be kept indefinitely. Define and document retention periods — typically the policy period plus a short claims tail.
- Third-party data: If passengers are identifiable from journey data, consider whether and how they need to be informed.
Telematics raises the same Article 22 questions as other automated underwriting: if a young driver's premium is calculated entirely from algorithmic analysis of their driving score, with no human review available, that is likely to require the Article 22 safeguards.
Sharing Data with Reinsurers and Third Parties
Insurance is a collaborative industry. Data flows between insurers, reinsurers, brokers, claims handlers, loss adjusters, medical examiners, solicitors, and rehabilitation providers. Each transfer creates GDPR obligations.
Reinsurers: When an insurer cedes risk to a reinsurer, policyholder data often goes with it. Reinsurers are typically joint controllers or separate controllers (not processors) — they are making their own underwriting decisions. The insurer must have a lawful basis for the transfer, and the policyholder's privacy notice should mention reinsurance as a category of data sharing.
International transfers: Many reinsurers operate from outside the UK or EEA. Transfers to countries without an adequacy decision (the US, Bermuda, Singapore) require Standard Contractual Clauses (SCCs) or another transfer mechanism. Post-Brexit, UK insurers need to check both UK GDPR and EU GDPR requirements depending on where data flows.
Claims supply chain: Third-party administrators, loss adjusters, and rehabilitation providers typically act as processors — they are processing data on the insurer's behalf. A Data Processing Agreement (DPA) is required for each relationship, setting out what data they can process, for what purpose, and what security standards they must meet.
Appointed representatives and brokers: The controller/processor distinction needs careful thought when brokers introduce business. The broker may be a separate controller for their client relationship data, while the insurer is controller for the policy data.
Fraud Prevention Databases
The insurance industry maintains shared fraud prevention databases — the Claims and Underwriting Exchange (CUE), the Insurance Fraud Register (IFR), MyLicence, and others. Sharing data with and searching these databases is essential for fraud detection, but it must be done within a GDPR framework.
The lawful basis is typically legitimate interest (fraud prevention is a recognised legitimate interest in GDPR's recitals) or legal obligation where statute requires fraud reporting.
Key requirements:
- Fair processing information: Policyholders must be told at the point of application or claim that their data may be checked against and shared with fraud prevention databases. This should be in the privacy notice and ideally on application forms.
- Proportionality: Only data relevant to fraud assessment should be shared. Sharing excessive personal data under the banner of fraud prevention is not justified.
- Accuracy: Insurers have an obligation to ensure data shared with databases is accurate. Incorrect fraud markers can cause serious harm to individuals — refusal of insurance cover, higher premiums, difficulty obtaining financial products.
- Individuals' rights: Individuals can request access to their data held on fraud databases. The insurer needs to be able to respond to these requests and explain why data was shared.
The Insurance Fraud Bureau (IFB) operates under its own GDPR-compliant framework, but insurers remain responsible for ensuring their individual reporting practices are lawful.
Claims Files and Third-Party Data
Claims handling creates one of the most complex GDPR scenarios in insurance — and one of the most frequent sources of DSARs.
When a policyholder makes a claim, the claims file typically contains:
- The policyholder's personal data
- Third-party personal data (the other driver, the injured party, the neighbour whose fence was damaged)
- Witness data
- Medical reports containing health data about the claimant
- Solicitor correspondence
- Surveillance evidence in fraud-suspected cases
DSARs in this context are genuinely complex. When a policyholder submits a DSAR asking for all data held about them, the insurer must consider:
- What data relates to the subject making the request (must be provided)
- What data relates to third parties (must be redacted or withheld to protect those third parties' rights)
- Whether any exemptions apply — for example, data that would prejudice the prevention or detection of crime (relevant for fraud investigations), or data covered by legal professional privilege
Insurers regularly receive DSARs from policyholders involved in disputed claims or litigation. The right to receive personal data does not override legal professional privilege — claims correspondence prepared in contemplation of litigation may be exempt.
Retention of claims files must be documented. Typical practice retains files for the duration of the limitation period relevant to the claim type:
- Personal injury claims: 3 years from the date of knowledge, but often retained for longer given the possibility of late claims
- Property damage: up to 6 years
- Liability claims: can extend to 15 years or more depending on policy type and jurisdiction
These retention periods are defensible under GDPR's "legal claims" exception to the storage limitation principle, but they must be documented and applied consistently.
Marketing to Policyholders vs. Prospects
Insurance marketing creates distinct GDPR questions depending on whether you are marketing to existing policyholders or to new prospects.
Existing policyholders: Direct marketing to existing customers can be conducted under the soft opt-in (PECR Regulation 22(3)) if:
- The person bought a similar insurance product from you previously
- You gave them a clear opportunity to opt out at the time of purchase
- You give them a clear opportunity to opt out in every subsequent communication
"Similar product" matters. A home insurance customer receiving marketing for home insurance renewal is straightforward. The same customer receiving marketing for life insurance or pet insurance is less clear — and many insurers take a consent-based approach to cross-sell for this reason.
Prospects: Cold email or SMS marketing to non-customers requires prior consent under PECR, and that consent must meet GDPR's standard — freely given, specific, informed, and unambiguous. Purchased lists that claim "GDPR consent" for insurance marketing are almost universally unreliable and should be avoided.
Renewal communications: Insurers have a genuine legitimate interest in sending renewal information to policyholders. However, FCA regulations require insurers to show the previous year's premium alongside the renewal quote — this creates additional data processing obligations.
Data Subject Rights in the Insurance Context
Every GDPR data subject right creates specific considerations for insurers:
Right of access (SAR): The complexity of claims files, third-party data, and legal privilege exemptions makes SARs resource-intensive. Insurers should have a documented SAR process, including a triage mechanism for complex requests and a decision framework for redacting third-party data.
Right to erasure: This right is explicitly limited where data must be retained for legal claims, legal obligations, or public interest. Most insurance data will fall within one of these exceptions during the policy period and retention tail. However, prospect data that was never converted to a policy has fewer grounds for retention.
Right to rectification: If a policyholder disputes the accuracy of their declared health history or prior claims record, this must be investigated and corrected if appropriate. Inaccurate data in an insurance file can affect future underwriting.
Right to portability: Policyholders have a right to receive their data in a structured, commonly used, machine-readable format where processing is based on consent or contract. In practice, this means being able to export claims history, policy documents, and personal details.
Right to object to profiling: If an individual objects to automated profiling that affects their premium, insurers must be able to explain the legal basis for the profiling and, if it is legitimate interest, assess whether the insurer's interest overrides the individual's objection.
Conducting a DPIA for Insurance Processing
Several insurance activities require a Data Protection Impact Assessment (DPIA) before processing begins. The ICO's list includes:
- Large-scale processing of special category data (health data for group health insurance schemes)
- Systematic and extensive profiling producing significant effects (automated underwriting)
- Large-scale processing of location data (telematics)
- Matching data from multiple sources (claims fraud analytics across multiple databases)
A DPIA should describe the processing, assess necessity and proportionality, identify risks to individuals, and describe measures to mitigate those risks. For insurance businesses, DPIAs should be standard for any new product involving health data or automated decision-making.
Practical Steps for Insurance GDPR Compliance
Insurance businesses should prioritise:
Data mapping: Document every category of personal data processed, the lawful basis, the source, the purpose, retention periods, and who it is shared with. This is the foundation of everything else.
Special category register: Identify every process that involves health, genetic, or criminal conviction data and confirm the Article 9(2) condition relied upon for each.
Privacy notice review: Insurance privacy notices are typically long and complex — but they must be clear, accessible, and cover all processing activities including fraud database sharing, reinsurance transfers, and automated decision-making.
SAR process: Document a clear internal process for responding to DSARs, with defined ownership, a third-party redaction protocol, and exemption decision guidance.
DPA audit: Audit all supplier and partner relationships involving personal data and ensure DPAs are in place where parties act as processors.
Article 22 review: Map all automated decision-making processes, confirm safeguards are in place, and ensure fair processing information is provided.
Retention schedule: Define and document retention periods for each data category, with the legal basis for those periods.
Start with Your Website
Before tackling the full complexity of insurance GDPR compliance, it is worth ensuring your external-facing website — often the first point of data collection for prospects and policyholders — is properly configured.
Many insurance websites collect more data than their operators realise: analytics trackers, session recording tools, chatbots, lead generation pixels. Each one creates GDPR obligations that need to be addressed before any policyholder relationship begins.
Run a free Custodia scan to see exactly what your website is collecting, which third-party scripts are loading without consent, and what your cookie consent setup looks like from a compliance perspective. Results in 60 seconds.
This guide provides general information about GDPR compliance for insurance businesses and should not be treated as legal advice. Insurance regulatory requirements vary by product type, jurisdiction, and supervisory guidance. For advice specific to your business, consult a qualified data protection lawyer or privacy professional with insurance sector experience.
Top comments (0)