The General Data Protection Regulation (GDPR) can fine organisations across the EU for their lack of compliance, via the Information Commissioner's Office (ICO). The ICO can issue administrative and regulatory fines up to €20 million or 4% of an organisation's global turnover, whichever is highest. Therefore, there is increasing concern regarding whether these fines are insurable. It is essential to know whether your business is at risk of data protection fines, and whether you are covered by cyber insurance or your own indemnity policy.
GDPR and fines
The regulatory fines which an organisation can face are separated into two tiers:
- €10 million or 2% of the company's global annual turnover, whichever is higher.
-€20 million or 4% of the company's global annual turnover, whichever is higher.
The first tier of fines is usually due to an organisation integrating data protection by design or default, or infringing the recordings of processing data.
The second tier of fines are usually due to an organisation infringing the basic principles of processing, infringing the rights of a data subject or transferring personal data to a third country or an international business.
Article 84 of the GDPR states that the fines used should be "effective, proportionate and dissuasive." Therefore, the dissuasive nature of GDPR fines means that for the majority of EU member countries, the GDPR fines are not insurable.
DLA Piper, a multinational law firm, and Aon, the global professional services firm, worked together to create "The Price of Data Security," a guide which draws some definitive conclusions regarding whether GDPR fines are insurable or not. In the UK, GDPR fines are not insurable. Aon and DLA Piper found that out of thirty countries, the only two countries which had insurable fines, were Finland and Norway.
Vanessa Leemans, the Chief Commercial Officer at Aon cyber solutions EMEA, has stated that because GDPR fines are not insurable, it is essential that organisations should work with insurance partners to ensure they have an incident response ready.
DLA Piper have stated that although, for the UK and the majority of EU member states, GDPR fines are not insurable, there are measures which can used, such as insurance against legal costs for organisations who are facing a data breach. Yet, prevention of such a data breach is always the best alternative.
Cyber Insurance and GDPR
Although GDPR fines are not insurable, a company's cyber insurance can cover some aspects of the GDPR. Cyber insurance is specifically needed for small and medium sized enterprises (SMEs), as they tend to be more at risk of sufficiently serious data breaches. In 2016, 66% of SMEs experienced a data breach due to cyber-crime. Therefore, they need cyber insurance or a more effective data management plan.
SMEs on average, do not tend to have the money or resources needed to rectify a data breach. If a data breach is sufficiently serious, then the organisation is forced to notify the public, which will subsequently damage their reputation. This has been implemented to prevent organisations concealing their data breaches, as Uber did in 2016. Thus, cyber insurance policy is needed to handle these data breaches.
Pen Underwriting, an insurance company based in the UK, offers cyber insurance which can cover costs up to £100,000 in the first 72 hours of a breach, as-well as a 24-hour hotline for queries. Consequently, just because GDPR fines aren't insurable, doesn't mean companies can't receive help from cyber insurance.
For the UK and the majority of the EU member states, GDPR fines are not insurable. Therefore, organisations need to implement cyber insurance or a protective procedure, which will help the organisation handle a data breach and all costs and consequences.