The EU General Data Protection Regulation (the GDPR), which came into force in May 2018, allows the UK Information Commissioner’s Office (ICO) to impose fines of up to €20 million or 4% of global turnover (whichever is higher) on organisations that breach the GDPR.

An important question which arises is whether GDPR fines can be covered by insurance, a question which has been highlighted recently following on from the announcement of the €50 million imposed on Google by the French data regulator.

The issue of whether or not businesses can obtain insurance cover for regulatory fines generally depends on the local law. Many English law policies say that they will insure against fines and penalties provided that these are insurable under the law of the policy. As a matter of UK law, it is not generally possible to obtain cover for fines imposed of criminal or quasi-criminal conduct for public policy reasons.

The Global Federation of Insurance Association has asked the Organisation for Economic Cooperation and Development for guidance to clarify the confusion as to the insurability of fines and penalties for the benefit of consumer and insurer contract certainty. The OECD has agreed that it will look at the issue, and it is hoped that guidance will be issued in the near future.