As we approach the one year anniversary of GDPR implementation, we have seen that many companies still don’t understand how the privacy regulation works or how to properly mitigate the risk. Earlier this year, Google, one of the largest technology companies in the world, was fined $57 million for a GDPR breach in France.
If companies with as many resources as Google are facing fines, how can far smaller businesses address this risk? One effective solution is to mitigate the risk through cyber insurance policies. Insurance helps businesses self-regulate their actions and acts as the last line of defense in the event of a major fine. But, not all policies are created equal, and it can be difficult to navigate the oftentimes confusing language in various insurance policies.
I've spent time evaluating numerous policies and examining GDPR-specific risks—even more so since my company, Coalition, developed a policy tailored to address GDPR. From this review, some myths and truths from GDPR became clear. Here are a few:
Myth: Only big companies and big fines matter
It is important to recognize that big businesses are not the only target of GDPR. While it is true that any business can be penalized, it’s safe to say that the largest fines are for the largest companies and the most egregious violations. However, this doesn’t mean that smaller fines and smaller offences aren’t being monitored.
In fact, smaller fines are levied on a regular basis. For example, one GDPR fine of $5,400 was issued for a retail establishment’s CCTV camera system that partially surveyed a public sidewalk. Even though it didn’t involve an egregious failure, nor an enormous company, action was taken and a fine levied. This points out two elements of GDPR that are myths: that only large companies and large fines matter. To a smaller company, any fine and attorney’s fees is enough to be deadly, and countries are monitoring activity for all companies.
See also: What GDPR Means for Insurtech
Myth: Only European businesses need to comply with GPDR
Last year, the number of companies offering cyber insurance in the Lloyd’s of London commercial insurance market jumped more than 20%. According to Lloyd’s chief executive, gross written premiums for European cyber insurance could reach more than $2 billion annually by 2020, partly as a result of GDPR.
While this growth supports the fact that E.U. businesses need to mitigate the risk of compliance with GDPR, it fails to acknowledge that U.S. companies are also subject to GDPR. This is because GDPR has a much wider scope than just European companies. It protects personal data even across the Atlantic. Accordingly, a U.S. company can just as easily violate GDPR when collecting, using or maintaining data regarding E.U. citizens. Come time for fines, if a business only collects a third of its revenue from European customers, it will still be fined on its revenue from all markets. Therefore, businesses outside of Europe need to evaluate GDPR compliance and insurance, as well.
Myth: A vendor’s breach does not affect my company
Your business is liable if your trusted vendor lost your data. Therefore, you may consider requiring that your vendors procure GDPR insurance policies, naming your company as an additional insured. If your company was entrusted with data, you are liable even if one of your vendors loses the information.
Truth: Risk mitigation can help
A 2018 study of privacy professionals found that 56% of respondents were at companies that were not yet compliant with GDPR, and 19% said that their companies would never be fully compliant. This is clearly an unsustainable approach to GDPR.
Mitigation techniques are a crucial aspect of a good policy. Leading insurance companies help businesses comply with regulations by educating them and evaluating their privacy practices. The use of these techniques, in turn, help protect businesses against allegations.
Truth: The right cyber insurance policy could save your business.
From the day GDPR went into effect, May 25 of last year, to the end of this past January, there have been 91 GDPR fines issued. That is more than two fines per week. To purchase an insurance policy that will allow your business to survive a fine, it is paramount to review what specifically is covered. It is important to protect your company with a policy that covers you not only in the event of security failures and data breaches but also when often-forgotten repercussions arise regardless of whether data was compromised.
GDPR is unique in that it codifies privacy regulations. Not only are companies fined if they expose customer data as a result of a cyber breach, but companies are also receiving penalties for failure to follow their own privacy policies.
See also: Europe’s New Data Breach Requirements
Not following your own privacy policies is called “failure to comply” and can result in fines from GDPR. For example, if your company says in its privacy policy that it will delete certain information, which is also known as “the right to be forgotten,” it must hold up its promise. Failure to comply with that very privacy policy could result in fines and penalties. To mitigate this risk, companies should review their privacy policies regularly and also ensure that failure to comply is included in their chosen GDPR insurance policy.
Truth: Take action now
GDPR has been in effect for almost a year, so, if you haven’t yet taken measures to prepare your company for the event of a fine, do so now. Whether your company is big or small, it’s important you consider a GDPR insurance policy, and when you look be sure to find a policy that both covers fines resulting from a cyber breach and from failure to comply. Additionally, look to see if the insurance provider offers risk mitigation techniques and evaluate the provider's payout limit. It can also be important to review the vendors critical to your business and encourage them to procure coverage as well to avoid a business disruption or third-party liability. With these considerations in mind, your business will be ready to purchase a policy that will prevent you from going under in the event of a fine.
Myth Busting on GDPR Insurance Policies
If companies with as many resources as Google are facing fines related to GDPR, how can far smaller businesses address this risk?