GDPR & Cyber cover: What you need to know
The introduction of GDPR has changed the rules around data protection and privacy. Consumers have much more extensive rights around how their data is used, stored, and shared, fail to protect your customer’s data properly and you could face hefty fines.
Thankfully, cyber cover can reduce your risk and help you stay on the right side of the regulations. This guide explains how cyber insurers can support business owners when it comes to GDPR and what to check for when looking for a new policy.
What is GDPR?
The General Data Protection Regulations (GDPR) came into effect in 2018 and apply across the EU and the UK.
They regulate how our data is processed and managed by businesses to protect consumers and improve business data security standards.
As part of the introduction of the new laws, the Information Commissioner Office (ICO) was granted the power to issue fines to organisations that breach the new rules – these fines can be:
- Up to €20million or,
- 4% of global turnover (whichever is more)
These are not just theoretical figures, there have already been some massive fines issued by the ICO and their European counterparts including:
- €50 million to Google in January 2019
- £183 million to British Airways in July 2019
- £99 million to Marriot International in July 2019
It’s not just large corporations that have been affected. In 2019, Doorstep Dispensaree a Pharmacy in Edgware Road, London were hit with a £275,000 fine after failing to store patient records securely.
Does cyber insurance cover GDPR fines?
No, most insurers don’t offer cover for fines issued by the ICO, including GDPR related fines.
This is because insurance against fines imposed by an official body or regulator (for example the ICO) for criminal or quasi-criminal conduct is not permitted under English law.
Any insurance policy offering to pay these fines could be seen to negate the deterrent effect of the fine, which is prohibited.
However, it is fair to say that this is still a grey area for many insurers, with some offering some limited protection in this area – typically for less serious, non-criminal data breaches.
This means you may see some insurers advertising GDPR fine cover, but you should always carefully check exactly what the policy includes.
How can cyber cover help?
Even if most cyber insurance policies don’t cover GDPR fines directly, a good policy could prevent your business from having to pay them in the first place.
Many cyber insurers offer crucial support and help that could protect your business from hefty GDPR fines.
Responding to a breach
Often fines are levied when a business fails to properly respond to a breach, notify the correct authorities or fail to tell their customers their data has been compromised.
Many cyber insurers offer support for business owners that can guide you through what your business needs to do to follow stringent GDPR requirements.
If you’re not confident of your regulatory obligations, 24/7 breach response support from your insurer could prove crucial, especially in the hours immediately after a data breach is confirmed.
For example, in many cases you have only 72 hours to notify the ICO of a data breach, the response team supplied by your insurer can help ensure this is done correctly and at the right time.
Improving your data security
The best way to avoid a GDPR penalty is to have robust and stringent IT security measures in place and to follow the key GDPR principles, namely:
It’s also in the best interests of your cyber insurer to improve your cyber security practices, and so many offer training and audits to review your practices.
How are GDPR fines calculated?
All fines issued for GDPR breaches must be done on a case by case basis, and should be “effective, proportionate and dissuasive”.
In practice fines are based on the severity of the case, and depend on factors like:
- How many people were affected
- The severity of the infringement
- If it was deliberate or accidental
- The precautions the business had taken
- If expected security measures were in place
- If it’s the first GDPR infringement
- How you responded to the issue
How do privacy policies help websites adhere to GDPR?
A privacy notice is a GDPR requirement and it must be:
- In a concise, transparent, intelligible, and easily accessible form
- Written in clear and plain language, particularly for any information addressed specifically to a child
- Delivered in a timely manner
- Provided free of charge
You can view a privacy notice checklist from the ICO here.
Does GDPR apply to small businesses?
Yes, it applies regardless of your business size, however documentation requirements are less stringent for businesses that employ less than 250 staff.
What counts as personal data?
Personal data, or personally identifiable information (PII) is any data that can be used to identify an individual.
This doesn’t have to be using this information alone, but could also be in conjunction with other information.
Examples of personal data can include:
- Health information
- IP address
- Email addresses
How else can cyber insurance protect my business?
As well as offering support notifying the ICO and reducing your risk of failing foul of GDPR, cyber insurance can financially protect your business from the impact of a data breach or cyber attack in lots of other ways, including:
- Paying to investigate the cause of a data breach or cyber attack
- Covering the cost of legal support following any claims made by third parties
- Providing PR and communications assistance to reduce the damage to your brand
You can read our guide on what cyber insurance covers for a detailed breakdown of the different ways it can protect your business.
[LF1]Link to aig review page