14 June 2017Insurance

New UK data protection rules could result in fines being issued

The General Data Protection Regulation (GDPR), which is set to come into effect in the UK on May 25, 2018, is driving good reporting behaviour as businesses become increasingly digitised and the reporting of data breaches becomes mandatory.

This is according to Katie Moore, a buyer of cyber coverage for the Vodafone Group, who spoke alongside a panel of cyber specialists speaking at the Airmic Conference 2017.

Moore affirmed that the incoming GDPR is making businesses put more effort into managing and understanding their potential cyber exposures, due to the consequences from a failure to comply with regulations.

“These regulations really have some teeth in terms of the penalties,” added Patrick Hill, partner at law firm DAC Beachcroft.

Hill suggested that the levels of fines and penalties that can be imposed from a breach of the regulation are significant, with a potentially maximum fine in the UK of half a million pounds at present. However, under GDPR, the fines could rise up to over €20 million (£17.6 million).

However, there is potentially light at the end of the tunnel, as Hill argued that a policyholder may be able to insure against these types of penalties, although the Information Commissioner's Office (ICO) who impose the fines have been silent as to whether the fines can be insured, and whether that part of the exposure can be risk transferred.

Hill also noted that criminal fines definitely can’t be insured against, nor civil fines and penalties, imposed as an act of wilful default, illegality and fraud.

He said there was however an argument that you can insured against those types of civil penalties for what is essentially an act of innocent default.

Hill said he asked ICO about the insurability of ICO fines, who said they did not care if they insured against the fines, and that it is simply a matter of risk transfer.

While there is an element of ‘wait and see’ on the insurability of these fines, James Burns, cyber product leader at CFC Underwriting, said if they are insurable legally, they will be insured.

“It’s quite subjective,” Burns said. “If they are insurable legally, we will insure them. It’s not helpful that GDPR is silent, and it doesn’t tell clients if they can risk transfer that part of the exposure.”

Already registered?

Login to your account

To request a FREE 2-week trial subscription, please signup.
NOTE - this can take up to 48hrs to be approved.

Two Weeks Free Trial

For multi-user price options, or to check if your company has an existing subscription that we can add you to for FREE, please email Elliot Field at efield@newtonmedia.co.uk or Adrian Tapping at atapping@newtonmedia.co.uk


More on this story

Insurance
13 June 2017   An increased reliance on digital technology due to the competitive environment brought on by so-called ‘Industry 4.0’ has created more complex and harmful exposures to cyber events.
Insurance
14 June 2017   Insurers are grappling with the quantification of the damage to a business’s reputation that arises from a cyber attack, as this is not currently covered in cyber policies across the industry.