GDPR and insurance

 

There have been varying reactions to the impending change in data protection laws, with the new General Data Protection Regulation (GDPR) due to come into force in May 2018.

Some brokers and insurers have noted an increased uptake in cyber insurance policies as businesses seek to safeguard themselves from harsher financial penalties. Other businesses have wrongly assumed that this EU imposed rule won’t be relevant to UK businesses after Britain leaves the EU.

Research from Crown Records Management found that this was the case for 44% of businesses surveyed.

This is an expensive mistake. Under the new regulation, a serious breach could come with a fine of up to €20 million, or up to 4% of the company in question’s annual global turnover, whichever is greater.

To put this in perspective, Talk Talk’s £400,000 fine for its breach in October 2015 would be almost £60 million if it had occurred after May 2018. 

Are these fines insurable?

This is a question for the courts, as it depends on whether the data breach was criminal or not. Being able to claim back on insurance in this circumstance would defeat the object of having a fine in the first place.

Cyber liability insurance policies usually grant cover for fines and penalties provided that these fines are “insurable at law”. The “illegality defence” clearly applies to prevent recovery of criminal fines, by meaning of insurance claims.

The purpose of the new GDPR regulation is not to give licence for the Information Commissioner’s Office (ICO) to be unreasonably heavy handed. Fines levied, therefore, are unlikely to be the result of a breach where no fault could be found with the business in question.

What’s covered in relation to regulatory action?
Data breaches are addressed in cyber insurance, and whilst this policy cannot guarantee immunity for fines, there are other ways in which it can be invaluable.

It can cover the costs of an ICO investigation, the legal expenses and compensation associated with the case, notification of those affected, and the bill that comes from minimising your reputational damage.

If you deal with personal data of any kind, then GDPR is going to affect you and your business. If you would like to speak with an insurance adviser on how we can protect your cyber liability, then call or email Fiveways on 01952 812380 or enquiries@fivewaysinsurance.co.uk.