As Europe’s GDPR Data Regulation Comes Into Force, the Insurability of the Fines Comes Into Focus

OPINION: The GDPR arrives this month; Is the EU so far away?

Companies in Asia, Europe and elsewhere may be fined up to €20 million or up to 4% of annual global turnover if they fail to protect information on EU citizens in their databases, under the General Data Protection Regulation (GPDR) that comes into effect on May 25, 2018.

Can companies insure against fines and costs associated with non-compliance such as litigation, investigation and compensation? It depends, according to “The Price of Data Security,” a new study by risk management firm Aon and law firm DLA Piper.

According to the report, there are currently only a few jurisdictions in Europe where civil fines can be covered by insurance. And criminal penalties are almost always never insurable. There must be no deliberate wrongdoing or gross negligence on the part of the insured.

Yes, no, maybe

The key findings include:

  • GDPR fines are insurable in only two of the countries reviewed – Finland and Norway
  • In 20 out of 30 reviewed jurisdictions, GDPR fines would generally not be regarded as insurable, including the UK, France, Italy and Spain
  • In eight of the jurisdictions, it is unclear whether GDPR fines would be insurable. In these jurisdictions specific details around individual cases, for example the conduct of the insured and whether the fine is classed as criminal, will need to be considered.

While the insurability of GDPR fines may be limited, insurance should still be considered as a key component of an organization’s risk management strategy to manage costs associated with GDPR non-compliance and resulting business disruption losses, says the report.

Such costs could include legal fees and litigation, regulatory investigation, remediation and other costs associated with compensation and notification to affected data subjects.

Prevention better than the cure

“Data breaches, and other cyber events, could see businesses face major fines, but these may be outweighed by legal and investigative costs, business interruption losses and exposure to third party liability, all of which are insurable,” says Andrew Mahony, Regional Director, Financial Services & Professions Group, Asia, Aon.

“Organizations should work closely with their insurance partners to ensure that they have an appropriate risk transfer solution in place.”

Adds Prakash Paran, Partner and Co-Chair, Global Insurance Sector at DLA Piper: "While there are only a few jurisdictions where GDPR fines are insurable, insurance against legal costs and liabilities following a data breach is widely available.”  

“Prevention is better than the cure,” he stresses. “Corporate groups still need to consider reputational damage and impact on existing customers, the wider market, and their relationships with regulators, all of which may go beyond quantifiable financial losses.”