Have you considered the impact that GDPR will have on your healthcare benefits data?

When the EU General Data Protection Regulation (GDPR) came into effect on 25 May 2018, it changed rules around the way you handle your employees’ personal information.

In simple terms, the GDPR replaced the EU’s 1995 Data Protection Directive – becoming UK law in the guise of the Data Protection Act 2018 (DPA) and enforced by the Information Commissioner’s Office (ICO). It gave individuals more power to demand that companies reveal or delete personal data they hold, and regulators greater power to take action, including significant fines for breaches.1

GDPR and healthcare benefits

The GDPR draws no distinction between personal data about individuals in their private, public or work roles.2 That means it covers the processing of personal data across e mployee benefits such as private medical insurance and employee protection products, but also mobile health apps and wearable technology. This is because providing employee benefits often requires you to handle employee data such as name, age and address but also health data.3

As a result, whether you’re dealing with employees’ personal data or more sensitive health data, you will need to make sure you have the right processes in place to comply with GDPR – which includes proving you have lawful consent to process that data and have taken appropriate steps to keep it secure.2

It’s critical to consider the impact of GDPR on your employee benefits programme because there may be significant impact if you don’t ‒ with fines of up to 4% of annual global revenue or 20m Euros for data breaches.2 While GDPR compliance is an important aspect of overall risk management, greater transparency and accountability in the use of personal data can also bring business benefits in the form of enhanced reputation and employee satisfaction.4

The good news is that the steps organisations must take to ensure compliance are now well established – so you can act with greater confidence in ensuring your employee healthcare benefits comply with GDPR.

GDPR health data consent

Establishing a legal basis for processing personal data has long been central to data protection compliance, but GDPR raised the bar compared with the previous regulatory regime.

That is, prior to GDPR, consent to collect, store and process personal data was routinely obtained via employment contracts. However, this approach is unlikely to be sufficient under GDPR, which states that employees must be informed of the purpose and use of their personal data, and given a clear explanation of how it will be treated.5

You will need to ensure the approach you take to gaining consent complies with GDPR’s stricter requirements. Any document you use to obtain GDPR health data consent must be concise, in plain language, and include details of:

  • the type of data you wish to collect
  • how long you will store it
  • whether you will share it, if so, who you will share it with.

It will also need to include the name and contact details of your data protection officer.5

Assess the healthcare benefits data you need to keep

Complying with GDPR presents an ideal opportunity to assess the amount of data you collect, store and supply to third parties.

In the case of GDPR and healthcare benefits, you may find that personal data sharing is not necessary in some cases. For example, some life insurers may accept just an employee number and salary, rather than a list of employee names and national insurance numbers, so check with your insurers as to the data they really need.

Equally, there may be situations where it isn’t necessary for you to hold personal data at all. For instance, while an insurer might require employee medical histories, it may not be necessary for you to supply it – instead, employees or an insurance consultant could provide this information.

As a basic rule of thumb, remember there needs to be a good reason to supply personal data to a third party – otherwise don’t do it.

Managing your healthcare benefits data

It’s essential you give some thought to how you manage health data. Cyber security measures such as password protection, encryption, and secure filing cabinets for paper-based data are vital but you also need to think about how long you need to store it – because under GDPR, data should only be retained for as long as it is required to fulfil its purpose.5

Additionally, you need to think about how you will deal with individual rights enshrined in GDPR and DPA. They include subject access requests (SARs) – the right of an individual to request access to personal data help by an organisation and the ’right to be forgotten’, which is a person’s right to request data is deleted when there is no compelling reason to retain it.5

In both cases, given the law sets a limit of one month to respond to requests, it is crucial to have systems in place to comply in a timely fashion. As a minimum, that means implementing systems and processes that ensure you can identify employees’ personal data, potentially across multiple locations within the organisation.6

Finally, don’t overlook any third parties dealing with employee health data – taking steps to ensure they have the right processes in place to protect and secure it should also be part of your risk management process.

Help and support

Implementing the necessary processes to comply with GDPR may seem like a major project, but you needn’t panic. The Information Commissioner’s Office (ICO) has taken a pragmatic approach to the regulation and has produced lots of really useful guidance – including this detailed guide to the GDPR and DPA.

Meanwhile, for further information, read about the latest data protection trends or contact a Marsh Commercial risk management specialist for advice and guidance.


1. https://www.theguardian.com/technology/2021/aug/26/what-gdpr-why-does-uk-want-reshape-data-laws
2. https://www.superoffice.com/blog/gdpr/
3. https://dataprivacymanager.net/processing-personal-data-of-employees/
4. https://www.privacytrust.com/guidance/gdpr-is-not-just-about-data.html
5. https://www.cipd.co.uk/knowledge/fundamentals/emp-law/data-protection/factsheet#gref
6. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/