Where you are in Europe matters for insuring GDPR fines

Aon and DLA Piper have produced a heatmap of the data regulatory environment across Europe and the insurability of fines for Europe’s General Data Protection Regulation (GDPR). 

GDPR is enforceable from 25 May 2018 and includes regulatory fines of up to €20m or, if higher, up to 4% of a group’s annual global turnover.

The report issued jointly from law firm DLA Piper and insurance broker Aon is entitled “The price of data security” and aims to answer whether GDPR fines are insurable in the countries where a company operates.

The potential financial impact of a data breach, in litigation, investigation and compensation costs, is also analysed of the report.

“GDPR will expose organisations to significantly higher risks related to how they manage and store personal data,” said Vanessa Leemans, chief commercial officer for Aon Cyber Solutions in Europe.

“Data breaches, and other cyber events, could see businesses face both major fines and extensive costs. It is therefore essential that organisations fully understand where their exposures lie,” said Leemans.

“They should work closely with their insurance partners to ensure they have an appropriate risk transfer solution and incident response plan in place,” she said.

The guide highlights that there are currently only a few jurisdictions in Europe where civil fines can be covered by insurance and, even then, there must be no deliberate wrongdoing or gross negligence on the part of the insured.

Criminal penalties are almost never insurable. GDPR administrative fines are civil in nature, but the GDPR also allows European member states to impose their own penalties for personal data violations, the report emphasised

Finland and Norway were declared “insurable” jurisdictions for GDPR fines.

Germany, the Netherlands, Poland and the Czech Republic were among the eight jurisdictions where the insurability of GPDR civil penalties was deemed “unclear”.

The report said: “In these jurisdictions specific details around individual cases, for example the conduct of the insured and whether the fine is classed as criminal, will need to be considered.”

The UK, France, Belgium, Switzerland, Spain, Portugal, Austria and Italy were among the 20 countries where fines were thought not to be insurable (see snip below).

The report noted that insurance – even if it cannot be used to pay a penalty to a national regulatory authority – still performs a useful risk transfer function to manage the costs incurred by a data breach.

Prakash Paran, partner and co-chair for DLA Piper’s global insurance sector practice, concluded: “While there are only a few jurisdictions where GDPR fines are insurable, insurance against legal costs and liabilities following a data breach is widely available across Europe and may provide valuable cover to organisations.

“However, corporate groups still need to consider reputational damage and impact on existing customers, the wider market, and their relationships with regulators, all of which may go beyond quantifiable financial losses. Prevention is better than the cure,” Paran added.

Below is the heatmap from the report, showing insurability of penalties, as well as the intensity of data protection regulatory regimes around Europe.