The General Data Protection Regulation (EU) 2016/679 (GDPR) came into effect on 25 May 2018. It has undeniably revolutionised the data protection regime and significantly affected how organisations worldwide collect, use, manage, protect, and share personal data that comes into their possession.
As personal data increasingly represents an important new class of economic asset for organisations, GDPR has significantly increased the enforcement powers available to regulators. GDPR fines can reach up to €20 million, or up to 4% of a group’s annual global turnover if higher. Two recent examples are: the UK Information Commissioner’s Office (ICO) issued a notice of intent to impose a fine of €204 million on an airline company, representing about 1.5% of the company’s global turnover. The ICO issued another notice of intent to impose a fine of €110 million on an international hotel chain, representing about 3% of the company’s global turnover.
The scale of these fines has understandably generated concern in boardrooms. GDPR has replaced a regime under which fines for a data breach were limited and enforcement actions infrequent. The regulatory environment across European Member States is undoubtedly shifting and regulators now have greater powers of enforcement, and significant GDPR fines are expected to be imposed where organisations are subject to investigations.
Moreover, the consequences of GDPR non- compliance are not limited to monetary fines. There are also the costs associated with non-compliance. These costs, potentially resulting from a data breach, could include, for example, legal fees and litigation, regulatory investigation, remediation, public relations, and other costs associated with compensation and notification to impacted data subjects. Furthermore, the potential damage to an organisation’s reputation and market position can be significant.
The magnitude of GDPR fines means organisations are keen to know whether these fines can be insured. Typical cyber insurance policies only insure fines when “insurable by law”, and stipulate that the insurability of fines or penalties shall be determined by the “laws of any applicable jurisdiction that most favours coverage for such monetary fines or penalties.” Organisations also need to consider other costs and liabilities that could result from GDPR non-compliance.
Given the size of the potential financial impact of GDPR non-compliance, it is important for organisations to understand how the insurability of fines, legal and other costs and liabilities following a data breach is approached in different jurisdictions. In this guide we provide an overview of the insurability of fines and resulting costs across Europe (information current at date of publishing) as a resource for all those organisations affected by GDPR.
There are only a few jurisdictions where it is clear that civil fines can be covered by insurance - even then there must be no deliberate wrongdoing or gross negligence on the part of the insured. Criminal penalties are almost never insurable. GDPR administrative fines are civil in nature, but the GDPR also permits European Member States to impose their own penalties for personal data violations. If those penalties are criminal, they almost certainly would not be covered by insurance.
“While there are only a few jurisdictions where GDPR fines are insurable or not at any risk of being challenged legally, insurance against legal costs and liabilities following a data breach is widely available and enforceable across Europe and may provide valuable cover to organisations. However, corporate groups still need to consider reputational damage and impact on existing customers, the wider market, and their relationships with regulators, all of which may go beyond quantifiable financial losses. Prevention is better than the cure.”