Since the new General Data Protection Regulation (GDPR) was introduced in May, individuals have greater control over what companies can do with their personal data. The GDPR is applicable across the European Union, and UK companies should now be complying with the regulation. However, given the recent change, little guidance has been provided to insurance companies on how to design a risk management framework for their data protection risk analysis. This paper provides insight into implementation and considerations for insurance firms.