GDPR – What protection can insurance policies provide to businesses?

On 25th May 2018, the General Data Protection Regulation (GDPR) will replace the UK Data Protection Act 1998. The new directive will bring enhanced levels of accountability and enforcement around the handling of personal data.

The ‘headline’ item among the changes to be brought in will be the Information Commissioner’s Office (ICO) power to fine companies up to 4% of annual worldwide turnover or 20M Euros, whichever is the higher, for the most serious breaches of GDPR. For many UK SME’s, this 4% maximum penalty would have a significant and instant impact upon a company’s Balance Sheet. For less serious breaches of GDPR, the maximum penalty threshold is 2%/10M Euros which still represents a large potential expense to which companies are exposed.

It is worth noting also that some industry regulatory bodies have the power to fine member companies found to be in breach of data protection guidelines. The Financial Conduct Authority (FCA), for example, has the ability to impose unlimited fines on registered firms.

In response to the increasing threat of data breaches, either intentional or accidental, many insurers have developed Cyber & Data Protection Insurance policies to cater specifically for these new exposures.

There are two key components within a Cyber & Data policy to look for in order to ensure that your business is adequately protected under GDPR.

  1. Loss of/Damage to Documents – With more data being kept in electronic rather than hard copy format the risk exposure has also changed to encompass a range of media types. ‘Loss of Documents’ cover as often found in Professional Indemnity policies, and usually sub-limited, has typically catered for scenarios where a company employee has left a client file on a train for example. A Cyber & Data policy is specifically designed to cater for the digital equivalent of this scenario.
  2. Regulatory fines – Whilst some insurance policies will cater for the cost of the fines highlighted in the paragraphs above (subject to policy limits) others will not extend cover to regulatory fines at all. It is very important therefore to check that this cover is included and is adequate for your needs. One way to calculate this would be as set out below ;

Using the GDPR maximum fine level of 4%, a company can set its level of cover for regulatory fines arising under the new directive as 1/25th of annual worldwide turnover. Companies with a turnover up to £2.5m therefore would have adequate cover for GDPR fines with £100,000 limit of indemnity for this section, subject to policy terms and conditions.

Note – this calculation only applies to GDPR, not other regulatory body fines that may be handed down and are harder to quantify. The cover for regulatory fines may be sub-limited as a percentage of the overall limit of indemnity and is most likely part of an aggregate basis of cover. Cover does not extend to Criminal or Civil fines.

As the introduction of GDPR nears, businesses will need to make suitable enhancements to their internal policies and procedures. Having a Cyber & Data insurance policy in place will give business owners the additional peace of mind that in the event of a breach they have the support of an insurer and its claims advisers.

For more insurance & risk management tips for your business, please contact Dominic Hutt on 07786 494 847 or