UK GDPR Insurance Data Residency Explained: Where Claims Data Must Live

Ask ten insurance professionals where their claims data "must" be stored under UK GDPR and you will likely get ten different answers. Most will say "in the UK." A few will say "in the EU." Almost none will give the correct answer: UK GDPR does not require data to be stored in any particular country. What it regulates is the conditions under which data can be transferred to countries outside the UK — and the difference matters enormously for how you select and contract with cloud-based claims platforms.

This confusion costs UK insurance firms real money. It leads to overly restrictive vendor requirements, missed opportunities to use best-in-class platforms, unnecessary data architecture complexity, and in some cases, a false sense of compliance security — firms that insist on UK-only storage but have not put the correct contractual protections in place with their processors.

The post-Brexit landscape: UK GDPR and EU GDPR

When the UK left the EU, it retained the EU General Data Protection Regulation as domestic law through the Data Protection Act 2018, creating what is informally called "UK GDPR." At the point of Brexit, UK GDPR and EU GDPR were identical. They have since begun to diverge.

The UK has taken a somewhat more permissive approach to international data transfers, granting adequacy to a broader list of countries than the EU has. The EU has reciprocated with an adequacy decision for the UK itself, meaning that data can flow freely between the EU and UK without additional legal mechanisms — though this adequacy decision is subject to ongoing review.

For insurance firms operating across both jurisdictions — which covers most Lloyd's market participants, UK insurers with EU branches, and many MGAs — this means operating under two related but distinct frameworks simultaneously. Data flowing from a UK claims operation to an EU-based reinsurer is covered by the EU adequacy decision. Data flowing from a UK claims operation to a US-based cloud provider needs UK GDPR transfer mechanisms in place.

What "data residency" actually means under UK GDPR

The term "data residency" does not appear in UK GDPR. The regulation does not require data to reside anywhere in particular. What it does require is that when personal data is transferred to a country outside the UK, one of the following conditions is met:

• The UK Secretary of State has issued an adequacy regulation for that country
• Appropriate safeguards are in place — most commonly the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses
• A specific derogation applies (consent, vital interests, public interest, legal claims, etc.)

This means a UK insurance firm can lawfully store claims data in US-based cloud infrastructure, provided the correct contractual mechanisms are in place. It also means that storing data on UK-based servers does not automatically make processing lawful — the controller-processor relationship still requires a Data Processing Agreement, and the processor must provide sufficient guarantees about their technical and organisational security measures.

The misconception that "UK-only storage = GDPR compliance" is wrong in both directions: it overstates the requirement (UK storage is not mandated) and understates it (UK storage alone is not sufficient).

Current UK adequacy regulations

The UK has issued adequacy regulations for a range of countries including the EU and EEA, Switzerland, the USA (under the UK-US Data Bridge), Canada, Israel, New Zealand, Japan, South Korea, and others. For cloud-based claims platforms, this is practically significant.

Most major cloud providers — AWS, Microsoft Azure, Google Cloud — have US parent companies. If they participate in the UK-US Data Bridge and have current self-certification, transfers to their infrastructure are covered without additional contractual mechanisms. However, adequacy does not cover all US entities. Insurance firms need to verify that their cloud vendor and any sub-processors have current certification, not simply accept the vendor's assurance.

For providers in countries not covered by adequacy, the UK IDTA is the primary mechanism. It must be incorporated into the data processing agreement with the relevant processor.

The controller-processor relationship for claims platforms

A cloud-based claims platform is almost certainly a data processor acting on behalf of the insurance firm as data controller. This means the insurance firm must have a Data Processing Agreement (DPA) in place with the platform provider covering the requirements of Article 28 UK GDPR.

A compliant DPA for a claims platform must include: a description of the processing; instructions binding the processor to process data only as instructed; confidentiality obligations; technical and organisational security measures; sub-processor management provisions; assistance obligations for data subject requests and security incidents; deletion or return of data at contract end; and meaningful audit rights.

Many insurance firms accept the vendor's standard DPA without review. Vendor DPAs are drafted to protect the vendor, not the controller. Insurance firms should review and negotiate DPAs to ensure they reflect the specific processing activities involved in claims handling and provide genuine (not theoretical) audit rights.

Special category data in health and workers' compensation claims

Health insurance and workers' compensation claims involve health data — special category data under Article 9 UK GDPR. The processing conditions are stricter than for ordinary personal data, but they do not impose different geographic requirements. The same transfer framework applies to health data as to ordinary personal data.

What special category data does require is an explicit legal basis under Article 9 (most commonly employment law obligations or insurance-specific provisions under Schedule 1 of the Data Protection Act 2018) and heightened security measures reflecting the sensitivity of the data. For a claims platform processing health data, this means more stringent access controls and vendor security assurances — but not a requirement for UK-only storage.

Practical vendor evaluation for data residency compliance

When evaluating a cloud-based claims platform for UK GDPR compliance, the questions to ask go well beyond "where is the data stored?"

Adequacy or IDTA coverage: Is the vendor and each of its sub-processors covered by a UK adequacy regulation, or is a UK IDTA in place? Can the vendor provide documentation?

Sub-processor register: Who are the vendor's sub-processors? Where are they located? What mechanisms cover transfers to those sub-processors?

DPA quality: Does the vendor's DPA meet Article 28 requirements? Are audit rights genuine or purely theoretical?

Data residency options: Can the vendor offer EU or UK-based data residency if your risk assessment or client contracts require it? This is not a legal requirement but may be needed in specific circumstances.

Article 30 records: Does the vendor provide information needed to maintain your Records of Processing Activities, including categories of processing, purposes, and transfer destinations?

The ICO's approach

The ICO's guidance on international transfers is pragmatic rather than prescriptive about data locations. The ICO's Transfer Risk Assessment tool (TRA) is required for IDTA-based transfers and asks organisations to assess whether destination country laws might undermine the protections in the IDTA. For transfers covered by adequacy decisions, no TRA is required. For other transfers, the TRA must be a genuine assessment — not a tick-box exercise.

The ICO has signalled it will take international transfer compliance seriously, particularly where sensitive data is involved. Insurance firms that cannot demonstrate they have assessed transfer risks and have appropriate mechanisms face enforcement risk.

Key takeaways for claims platform procurement

Do not let "where is the data stored?" be your only question — it is the least important compliance question. Focus on what mechanisms cover the transfers, what the DPA actually says, and who the sub-processors are.

Negotiate your DPA. The vendor's standard form is a starting point. Insurers handling significant personal data volumes need robust DPAs that reflect the actual processing and provide genuine audit rights.

Maintain your Article 30 records. Every cloud platform used for processing personal data must be reflected in your Records of Processing Activities.

Check sub-processor coverage. The main vendor's compliance does not cover its sub-processors — the chain of protection must extend all the way down.

Regure's claims platform is designed to support UK GDPR compliance — with transparent sub-processor documentation, audit-ready Data Processing Agreements, and data residency options for clients whose requirements demand UK or EU-based storage. Visit our UK compliance page to understand how we handle data governance, or request a demo to discuss your specific requirements.