Should your business invest in GDPR insurance?

On 25 May 2018, the General Data Protection Regulation (GDPR) came into effect across the UK.

The GDPR has replaced the Data Protection Act (DPA) and aims to target how the public and private sector handles an individual’s information.  Any company that stores or processes data will be held accountable from personal records such as names and addresses to sensitive data for example financial and medical details.  The new legislation therefore places much greater obligations on businesses and other entities that process data.

It is essential to understand how your business should comply with the new regulation.  Obtaining a GDPR insurance policy could help to protect your business to ensure that you have the right structure and plan in place to protect your systems and the information you collect, process, store and share. Failure to comply will result in an intense investigation and possibly be subject to, a two-tiered sanction regime of either €10 million (£7.9 million) or 2 per cent of an organisation’s global turnover (whichever is greater).  For more serious cases fines of up to €20 million or 4 per cent of turnover (whichever is greater) could be imposed.

In addition to our GDPR insurance policies, Crendon Insurance also offers Cyber Attack Insurance to provide the reassurance you need when dealing with Data Breaches.

How will GDPR insurance cover your business?

  • Notification of the Regulator– on becoming aware of a breach, companies have to notify the Regulator (ICO) within 72 hours unless there is a reasonable excuse not for doing so – this puts massive pressure on a company to prepare their case in a very short time period. Cyber Security & Data Protection Insurance policies usually provide immediate First Response.
  • IT Forensic Services– on discovering a breach it is important for a company to be able to quantify what data has been taken and cyber security insurance provides this service.  If you cannot calculate how much data has been lost/stolen/hacked, then the regulator is likely to make you notify all customers who have potentially had their data breached and the resultant PR fallout can be catastrophic. It is therefore extremely important to have expert IT forensic specialists to establish what data has been accessed and copied.  A data breach isn’t like having your house burgled where you can easily establish what has been taken – the data is still there, it’s just been copied by a cyber-criminal and in-house IT departments are not forensic experts and can often accidentally destroy vital evidence with good intentions (a bit like walking over evidence at a crime scene before forensics have arrived!).
  • PR Costs– due to mandatory notification breaches will be publicised and this could potentially lead to damaged reputation, loss of confidence etc. Cyber Security insurance therefore provides you with access to expert global PR consultancy firms.
  • Notification of Breached Data Subjects– the costs of notifying each of your customers/clients. For example, if this is by post, if you take the price of a 1st class stamp and multiply it by the overall number of potentially breached data subjects, costs can escalate very quickly.
  • Group Action Litigation Risk Increases– when the Breaches are publicised by the regulator, it increases the likelihood of liability claims and group action litigation (law firms representing multiple claimants to go after companies who have breached personal data)

To find out more about how GDPR Insurance could protect your business, please contact us. We will be pleased to discuss GDPR Insurance in more detail as well as other cyber security issues to see whether there is an exposure to your business and if so, the options available to you through our annual 12 month GDPR Insurance packages.

Further Reading: