August 1, 2018
Can Potential GDPR Fines Be Insured?
Out of 30 European jurisdictions reviewed, GDPR fines were found to be insurable in only two countries: Finland and Norway.
The General Data Protection Regulation (EU) 2016/679 (GDPR) revolutionizes the data protection regime and significantly affects how organizations worldwide collect, use, manage, protect and share personal data that comes into their possession. As personal data increasingly represents an important new class of economic asset for organizations, the regulatory environment across European member states is undoubtedly shifting, and regulators have greater powers of enforcement.
Aon and DLA Piper’s guide “The price of data security,” reviews the insurability of GDPR fines across Europe, which can reach up to €20 million or, if higher, up to 4% of a group’s annual global revenue.
The scale of these fines has understandably generated concern in boardrooms. GDPR replaces a regime under which fines for a data breach were limited and enforcement actions infrequent. Moreover, the consequences of GDPR noncompliance are not limited to monetary fines. There are also the costs associated with noncompliance. These costs, potentially resulting from a data breach, could include, legal fees and litigation, regulatory investigation, remediation, public relations and other costs associated with compensation and notification to affected data subjects. Furthermore, the potential damage to an organization’s reputation and market position can be significant.
The guide also looks at insurability of costs associated with GDPR non-compliance, including litigation, investigation and compensation, as well as the insurability of non-GDPR regulatory fines. It highlights that there are currently only a few jurisdictions in Europe where civil fines can be covered by insurance, and, even then, there must be no deliberate wrongdoing or gross negligence on the part of the insured. Criminal penalties are almost never insurable. GDPR administrative fines are civil in nature, but the GDPR also allows European member states to impose their own penalties for personal data violations.
See also: Data Security Critical as IoT Multiplies
Key findings include:
- GDPR fines were found to be insurable in only two of the countries reviewed – Finland and Norway;
- In 20 out of 30 reviewed jurisdictions, GDPR fines would generally not be regarded as insurable, including the U.K., France, Italy and Spain;
- In eight of the jurisdictions, it is unclear whether GDPR fines would be insurable. In these jurisdictions, specific details around individual cases, for example the conduct of the insured and whether the fine is classed as criminal, will need to be considered.
The role of insurance
The magnitude of GDPR fines means organizations are keen to know whether these fines can be insured. Typical cyber insurance policies only insure fines when “insurable by law” and stipulate that the insurability of fines or penalties shall be determined by the “laws of any applicable jurisdiction that most favors coverage for such monetary fines or penalties.” Organizations also need to consider other costs and liabilities that could result from GDPR non-compliance. Given the size of the potential financial impact of GDPR non-compliance, it is important for organizations to understand how the insurability of fines, legal and other costs and liabilities following a data breach is approached in different jurisdictions.
While the insurability of fines may be limited, insurance forms a key component of an organization’s GDPR risk management strategy to manage costs associated with GDPR noncompliance and resulting business disruption losses. In addition to insurance, there is significant business advantage to taking privacy and data protection seriously. Properly securing the data you hold is critical, but a robust data retention strategy is essential.
The scope of GDPR is broader than most insurance policies, which are often triggered by privacy or security incidents, whereas GDPR violations can also be triggered by non-compliance separate from a privacy or security incident. To the degree an existing insurance policy is intended to cover wrongful collection or usage of private data and cyber-related regulatory fines, penalties and assessments, the same intent should apply with respect to GDPR. Similarly, to the extent an existing insurance policy excludes wrongful collection or use of private data and excludes cyber-related regulatory fines, penalties and assessments, the same should apply with respect to GDPR.
Reviewing GDPR preparedness on an enterprise basis can increase an organization’s overall cyber resilience and help to reduce their total cost of risk – from insurance.
See also: Global Trend Map No. 12: Cybersecurity
There is no doubt that GDPR is a continuous challenge for organizations, but there are steps that you can take to help manage the potential impact through risk governance, insurance review and incident response.
- Carry out a security audit to check personal data is secure against unauthorized access or processing
- Put in place a plan for ensuring continuous monitoring and follow up of data compliance efforts
- Ensure that contracts with all third-party processors contain at least the minimum terms stipulated by GDPR
- Adopt a privacy-by-design methodology when initiating projects or developing tools
- Ensure adequate cyber insurance coverage is in place
- Review your existing insurance coverage for GDPR noncompliance, especially fines, penalties and lawsuits, with assistance from qualified coverage counsel
- Ensure you have an incident response plan in place, including data security breach notification procedures
- Review your existing enterprise-wide incident response plan to ensure that it incorporates escalation plans and nominated advisers covering all required stakeholders. This includes business operations, legal, PR and key third parties such as IT service providers.
Access the complete findings of the guide here.