A business faced with new obligations is also faced with new risks. This is certainly true of the General Data Protection Regulation (GDPR), which implements new rights and responsibilities as well as a significantly higher penalty for the most serious data breaches.
Prudent businesses will always look to insurance as a means of protecting what’s important. And when it comes to data protection, ‘cyber insurance’ can be especially useful in helping you cover the costs and resources necessary to respond to a data breach effectively. Doubtless, the GDPR will cause many businesses to consider cyber insurance for the first time. We’ve also seen some evidence of insurers jumping on the GDPR bandwagon and using the arrival of the new data protection framework as a selling point for their policies.
For many organisations, cyber insurance can be a useful tool for reducing many of the data protection risks they are faced with. But it cannot cover everything, not least it currently looks highly doubtful that businesses will be able to recoup ICO fines from their insurers.
So how can insurance help you with the GDPR? This guide looks at some of the myths, benefits and limitations of insurance to help you find out.
What are your biggest GDPR risks?
The penalties linked to the GDPR have attracted plenty of commentary. But the UK’s Information Commissioner, Elizabeth Denham has been careful to dispel the suggestion that businesses are automatically going to be hit with huge fines for GDPR breaches. The ability to impose financial penalties is just one of the powers available to the ICO, suitable for serious breaches and multiple transgressions. So when considering the risks associated with GDPR non-compliance, organisations shouldn’t just focus on fines, but on a range of other possible consequences, too. These include the following:
- Costs and resources required to respond to ICO interventions and investigations.
- Business interruption – especially if the company is required to stop operating while an investigation is ongoing.
- Civil claims for compensation brought by individuals whose rights and freedoms have been impacted by a GDPR breach.
- Damage to your reputation. When an ICO issues a sanction, this information is in the public domain.