GDPR and insurance

There have been varying reactions to the impending change in data protection laws, with the new General Data Protection Regulation (GDPR) due to come into force in May 2018.

Some brokers and insurers have noted an increased uptake in cyber insurance policies as businesses seek to safeguard themselves from harsher financial penalties. Other businesses have wrongly assumed that this EU imposed rule won’t be relevant to UK businesses after Britain leaves the EU.

Research from Crown Records Management found that this was the case for 44% of businesses surveyed.

This is an expensive mistake. Under the new regulation, a serious breach could come with a fine of up to €20 million, or 2% of the company in question’s annual global turnover, whichever is greater.

To put this in perspective, Talk Talk’s £400,000 fine for its breach in October 2015 would be almost £60 million if it had occurred after May 2018.


Are these fines insurable?
In the absence of a definitive answer, it’s best to assume not. Ultimately, this is a question for the courts, as it depends on whether the data breach was criminal or not. Being able to claim back on insurance in this circumstance would defeat the object of having a fine in the first place.

The purpose of the new GDPR regulation is not to give licence for the Information Commissioner’s Office (ICO) to be unreasonably heavy handed. Fines levied, therefore, are unlikely to be the result of a breach where no fault could be found with the business in question.


What’s covered in relation to regulatory action?
Data breaches are addressed in cyber insurance, and while this policy can guarantee immunity for fines, there are other ways in which it can be invaluable.

It can cover the costs of an ICO investigation, the legal expenses and compensation associated with the case, notification of those affected, and the bill that comes from minimising the reputation damage.