New UK data protection rules could result in fines being issued

The General Data Protection Regulation (GDPR), which is set to come into effect in the UK on May 25, 2018, is driving good reporting behaviour as businesses become increasingly digitised and the reporting of data breaches becomes mandatory.

This is according to Katie Moore, a buyer of cyber coverage for the Vodafone Group, who spoke alongside a panel of cyber specialists speaking at the Airmic Conference 2017.

Moore affirmed that the incoming GDPR is making businesses put more effort into managing and understanding their potential cyber exposures, due to the consequences from a failure to comply with regulations.

“These regulations really have some teeth in terms of the penalties,” added Patrick Hill, partner at law firm DAC Beachcroft.

Hill suggested that the levels of fines and penalties that can be imposed from a breach of the regulation are significant, with a potentially maximum fine in the UK of half a million pounds at present. However, under GDPR, the fines could rise up to over €20 million (£17.6 million).

However, there is potentially light at the end of the tunnel, as Hill argued that a policyholder may be able to insure against these types of penalties, although the Information Commissioner's Office (ICO) who impose the fines have been silent as to whether the fines can be insured, and whether that part of the exposure can be risk transferred.

Hill also noted that criminal fines definitely can’t be insured against, nor civil fines and penalties, imposed as an act of wilful default, illegality and fraud.

He said there was however an argument that you can insured against those types of civil penalties for what is essentially an act of innocent default.

Hill said he asked ICO about the insurability of ICO fines, who said they did not care if they insured against the fines, and that it is simply a matter of risk transfer.

While there is an element of ‘wait and see’ on the insurability of these fines, James Burns, cyber product leader at CFC Underwriting, said if they are insurable legally, they will be insured.

“It’s quite subjective,” Burns said. “If they are insurable legally, we will insure them. It’s not helpful that GDPR is silent, and it doesn’t tell clients if they can risk transfer that part of the exposure.”