Does Cyber Insurance Cover GDPR Fines?

Five years ago, the world’s most stringent security and privacy law was enacted. The General Data Protection Regulation (GDPR) was formulated by the European Union (EU) and has become the benchmark for similar laws worldwide.

Even though the UK has since left the EU, GDPR continues to apply to any business processing the personal data of any EU citizen. In other words, if you do business with Europe, GDPR applies to you.

In this guide, we discuss the impact of GDPR violations and whether cyber insurance can protect you.

What are the biggest GDPR risks for businesses?

GDPR enforcement has been a common theme within the EU for the last few years. In 2021 alone, the EU levied $1.2 billion in GDPR fines on companies worldwide, including Amazon and Facebook parent Meta.

Non-compliance can result in maximum fines of up to 20 million Euros or 4% of a company’s global annual turnover, with the highest figure being used.

Other business risks associated with not adhering to GDPR guidelines include:

  • Reputational Loss – Data breaches or violations of customer rights can lead to massive reputational damage for a business, and this could lead to customers losing trust in your brand and departing.
  • Lawsuits – GDPR isn’t the only thing you need to worry about. Data subjects also have the right to take legal action against businesses that violate GDPR.
  • Cybersecurity Risks – If you are not complying with GDPR, you are likely vulnerable to a data breach. Cyberattacks can cost millions in lost customer trust, fines, lawsuits and business disruption.

In short, compliance with GDPR is non-negotiable. Whilst big businesses are highlighted in the media, no company is too small to be fined for GDPR violations.

Can GDPR fines be covered by cyber insurance?

Cyber insurance is designed to protect you from internet-based risks. Any business serious about defending itself from the plethora of risks posed by cyberspace should have an active policy.

In the past, Google was fined $57 million by France’s data protection agency. Twitter was also fined $546,000 by Ireland’s Data Protection Commission in 2019 for a GDPR violation. With this in mind, it may seem automatic that your insurer will cover everything.

This is where matters get complicated. In other areas of insurance, it’s your insurer who decides on the validity of your claim; but, when it comes to GDPR, the regulator decides whether violations are insurable.

So, if the regulator decides that a fine is uninsurable, you will be forced to cover the fines out-of-pocket regardless of whether you have cyber insurance, and this could cripple a small business.

Suppose you’re wondering why this provision remains in place. In that case, it boils down to the EU wanting to avoid a situation whereby larger companies can freely violate GDPR and rely on their insurer to cover the aftermath.

GDPR guidelines for UK businesses

Insurance is a potent tool for protecting against the worst, but it should never be a replacement for addressing the risk.

Since cyber insurance will only cover GDPR violations sometimes, UK businesses must familiarise themselves with current GDPR guidelines.

Here’s a rundown of the basic guidelines every UK company must follow:

Data Protection Principles – All businesses must adhere to fundamental data protection principles, such as how they handle, process, store and dispose of data.

Lawful Basis – The lawful basis for processing pertains to the critical concepts of consent, necessity, legal obligation and interests.

Consent – Your firm must have a system set up to obtain consent from users before gathering their data. Moreover, a mechanism must allow users to withdraw their consent.

Data Subject Rights – Businesses must respect individual rights, including the right to access their data, rectify inaccuracies or delete their data.

Notifications – According to the law, UK firms must report all data breaches and suspected breaches to the Information Commissioner’s Office (ICO) within a strict 72-hour timeframe.

Record Keeping – All data processing activities must have available records that can be presented if an inspection occurs.

Minors – If processing the data of children, you must obtain parental consent. The current age of consent may differ based on the UK country.

These are a mere rundown of the points you must comply with under the law. If your business deals in large-scale data processing, you may also need to appoint a Data Protection Officer (DPO).

The impact of a GDPR violation for businesses

GDPR violations have already been outlined above, but whether you have cyber insurance or not could impact how your business recovers from the incident.

Here are the effects you can expect to experience if holding insurance vs not holding insurance.

Without Insurance

·  Fines of up to 20 million paid out-of-pocket.

·  PR disaster.

·  Loss of customers.

·  Severe growth implications.

With Insurance

·  Pay a small amount based on your policy’s deductible.

·  Allow your insurer to cover the costs stated in your policy.

·  Preserve your cash flow and continue your journey.

Are there limitations to cyber insurance for GDPR protection?

Whether your fines are insurable depends entirely on the decision of the regulator. Neither you nor your insurer has any say in this decision.

Typically, fines are not insurable for the UK or EU member states, so you should assume that your insurer will not cover your GDPR violations. However, cyber insurance is still helpful for other associated expenses, such as covering lawsuit settlements and legal costs.

How businesses can comply with GDPR insurance requirements

Complying with GDPR insurance requirements requires a root-and-branch approach. Expect significant disruption if you’re starting from ground zero.

Some of the areas to focus on include:

  • Conducting a risk assessment for GDPR-related risks.
  • Examining various coverage options.
  • Consulting with insurance brokers, legal professionals and cybersecurity experts.
  • Show evidence of data security measures in place.
  • Present a detailed incident response plan.
  • Maintain accurate compliance documentation.
  • Understand and comply with reporting obligations.
  • Initiate continuous monitoring

These steps will enable you to comply with GDPR while ensuring you maintain your comprehensive insurance coverage.

At Stanmore Insurance, we provide bespoke cyber insurance policies to businesses looking to protect themselves. For your insurance consultation, contact our team today.