As companies scramble to be GDPR-ready, with only a week left before the General Data Protection Regulation is enforced, a new guide shows you can’t be covered against fines if you operate in the UK… and, well, pretty much elsewhere.
In fact, of the 30 countries reviewed by Aon and DLA Piper, it turns out such fines are insurable in only two jurisdictions – Finland and Norway. In most countries the answer seems an outright no, while eight countries are labelled as ‘unclear’.
“In these jurisdictions specific details around individual cases, for example the conduct of the insured and whether the fine is classed as criminal, will need to be considered,” said the two firms in a joint announcement when the guide “The price of data security” was released.
These ‘unclear’ countries are the Czech Republic, Estonia, Germany, Greece, Lithuania, the Netherlands, Poland, and Sweden.
“GDPR will expose organisations to significantly higher risks related to how they manage and store personal data,” said Vanessa Leemans, chief commercial officer, Aon cyber solutions EMEA. “Data breaches, and other cyber events, could see businesses face both major fines and extensive costs.
“It is therefore essential that organisations fully understand where their exposures lie. They should work closely with their insurance partners to ensure they have an appropriate risk transfer solution and incident response plan in place.”
Aside from the GDPR penalties, the guide also examined the insurability of costs associated with non-compliance, as well as the insurability of non-GDPR regulatory fines.
“While there are only a few jurisdictions where GDPR fines are insurable, insurance against legal costs and liabilities following a data breach is widely available across Europe and may provide valuable cover to organisations,” said Prakash (PK) Paran, co-chair of global insurance sector at DLA Piper.
But the law firm partner believes prevention is better. “Corporate groups still need to consider reputational damage and impact on existing customers, the wider market, and their relationships with regulators, all of which may go beyond quantifiable financial losses,” he said.