Preparing for GDPR: hindrance or opportunity?

The European parliament’s General Data Protection Regulation (GDPR) is expected to come in to effect on May 25, 2018, and is designed to enhance the data protection rights of individuals and to improve business opportunities by facilitating the free flow of personal data in the digital single market.

It will apply to any business—including insurers—based in the EU, or any business that is processing the personal data of EU citizens.

While it aims to give control over their personal data back to citizens and to simplify the regulatory environment for international business, it has presented re/insurers with a number of significant challenges in the form of new obligations, but also opportunities within the cyber insurance market.

In July’s AM Best briefing, GDPR: Implications for European Insurers and the Cyber Insurance Market, the ratings agency stated that while the GDPR will provide regulatory challenges for re/insurers, the requirement for mandatory notification of serious data breaches is also likely to fuel supply of and demand for cyber insurance in Europe.

These stricter data-breach reporting rules will require a business to notify any data breach which would be “likely to result in a risk to the rights and freedoms of individuals” to the relevant supervisory authority, according to the UK’s Information Commissioner’s Office.

The AM Best report suggested that in the short term the rules will enhance transparency, and a considerable increase in reported breaches will likely spread risk awareness, which will drive the demand for cyber products.

In the medium term, an increase in the availability of more reliable data—with positive implications for pricing models—should drive insurance supply and lead to new products in the market.

Don’t be unprepared

One of the greatest concerns surrounding GDPR is how unprepared are not only the insurance industry, but businesses that will be affected by this regulation in general.

The GDPR may come as a nasty surprise for the unprepared business that suffers a breach and fails to adhere to the new regulations.

Under the current UK Data Protection Act 1998, firms face a maximum fine of £500,000 for security failings which put an individual’s data protection rights in jeopardy.

A contravention of the GDPR will result in a much heftier punishment. Small incidents will be subject to a maximum fine of either €10 million ($11.6 million) or 2 percent of an organisation’s global turnover (whichever is greater).

A larger, more serious incident could result in fines of up to €20 million ($23.2 million) or 4 percent of turnover (whichever is greater).

Human resources (HR) software solutions provider MHR published a survey in July 2017 of heads of HR, payroll managers, IT and insurance directors to determine their GDPR ‘readiness’, and revealed that 68 percent had not received any GDPR awareness training.

GDPR requires public authorities and private companies that are involved in regular monitoring or large-scale processing of sensitive data—which would extend to insurers—to appoint a data privacy officer—the survey found that only 53 percent had done so.

“Data privacy experts are predicting a Europe-wide shortage of suitably skilled data privacy officers (DPOs) by the time the regulations come into force in May 2018,” says Julie Lock, service development director at MHR.

Firms must also provide the adequate GDPR training to staff handling or managing personal data so they can recognise and address data breaches, along with carrying out a maturity audit and implementing recommendations.

Lock continues: “Insurance firms also need to equip staff on GDPR through adequate training—understanding that the highest percentage of breaches reported tend to be caused by human error.”

Insurability of fines

The potentially huge financial impact—UK firms could be hit with multimillion pound fines—brings the question as to whether these hefty fines can be insured.

“There would be a considerable willingness from insurers to cover this particular risk if it is insurable,” says Jack Lyons, partner at JLT Specialty focusing on cyber, technology and media error and omissions.

With the market so soft, Lyons believes the industry “couldn’t get away with not insuring it”. And unless there are some big losses, he did not see it having any effect on pricing.

Will it be legal to insure against these fines? Intelligent Insurer reached out to the UK’s Information Commissioner's Office (ICO), who stated it would be up to the insurance companies if they wanted to take on the risk.

“Because the regulation is still as an early stage—it has been passed by Brussels but hasn’t yet come into force,” says Fenchurch Law partner Jonathan Corman, “there is uncertainty over how the UK government will implement it.

“What we don’t know is whether the fines are going to be essentially criminal in nature or civil,” he explains.

Corman says that if the fines are criminal in nature, then they will be uninsurable, save perhaps in the situation where the liability is the result of strict liability, for example, if the breach is committed without having done anything culpable.

He gives the example of where a motorist would be able to recover a fine under his insurance despite his offence—driving without valid motor insurance—being criminal.

The motorist thought he had valid insurance and had good reason to believe he had it, but due to the fault of his insurance broker, he did not have valid insurance.

“He was convicted for driving without insurance, but because he had done nothing wrong in any respect, he was able to recover the fine under some kind of insurance policy. That’s an example of some strict liability,” Corman explains.

If the penalties under the new regulation are going to be civil in nature, Corman says, they will be insurable under insurance law, apart from instances where the breach of the regulation which attracted the fine was deliberate.

“If somebody deliberately disclosed confidential information in breach of the guidelines for their own nefarious purposes and was fined, then they wouldn’t be insured against that.

“But if the breach was innocent, you could recover on your policy for the fine; if the breach was negligent you could still get cover under your policy for the fine.”

There is an increased focus on ICO’s maximum fining powers, but the regulator’s focus remains on guiding, educating and advising.

“The new law equals bigger fines for getting it wrong, but it’s important to recognise the business benefits of getting data protection right,” an ICO spokesperson told Intelligent Insurer.

“Accepting broad accountability for data protection encourages an upfront investment in privacy fundamentals, and it offers a payoff down the line, not just in better legal compliance but in a competitive edge. Whether that means attracting more customers or more efficiently meeting pressing public policy needs, there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals. Over time this can play a real role in consumer choice.”

The post Brexit picture

One might wonder whether the GDPR will still apply to UK companies when the UK finally leaves the EU.

Under the assumption that GDPR comes into force before Brexit, Corman states that under the Great Repeal Bill, it will stay as part of UK domestic legislation unless it is specifically repealed.

“There’s a specific part of the regulation that says the individual EU member states can make that decision,” he adds.

The Queen referred to data protection in her speech to the Houses of Parliament on June 21, 2017, saying “A new law [the Data Protection Bill] will ensure that the UK retains its world-class regime protecting personal data, and proposals for a new digital charter will be brought forward to ensure that the UK is the safest place to be online.”