GDPR and cyber insurance. Cyber insurance and GDPR. It's an area most businesses take great pains to grasp.
But it’s important they do so. For the sake of their own data security and that of their clients.
Because frankly, the potential consequences of GDPR non-compliance are too serious to ignore.
Try colossal fines from the ICO (Information Commissioner’s Office) on for size. Or the huge reputational fallout resulting from putting your employees’, customers’, and clients’ personal data at risk.
With that in mind, you might look to your cyber policy for help. But does cyber insurance cover GDPR claims? Or any of those dreaded fines?
How GDPR started
Data’s valuable. Not just to you, but to the cybercriminals looking to steal, sell, or extort it.
Any personally identifiable info, including payment, contact, or IP addresses, can be used to harm the people it belongs to. Namely you, your clients, your customers, and your suppliers.
Which is why GDPR (General Data Protection Regulation) exists in the first place. It sets the rules for how organisations keep personal data secure. So everyone’s held accountable.
What’s more, it applies to all organisations based in the UK and EU. Especially those that collect, store, or process personal data in any way. Whether that’s by using computers and email, having a website, trading online, or storing info digitally.
How GDPR’s going
Since GDPR was first rolled out across the EU in 2018, replacing the Data Protection Act 1998, it’s seen business owners scrambling to tick the right boxes to stay GDPR compliant.
And while the GDPR regulations for UK businesses have changed slightly since the UK’s withdrawal from the EU in January 2020, the consequences of non-compliance are as real as ever.
Fall foul of the rules and regs, or suffer a data breach, and you could be looking at an ICO-issued fine of either up to 4% of your annual revenue or £17.5m. Whichever’s higher.
Even if all you've done is breach the requirements, you’re still in line for a hefty fine of either 2% of your annual revenue or £8.7m.
Regular scrutiny
Regulatory investigations aren’t all that uncommon, either. According to the ICO’s Data security incident trends dashboard, 9,282 data breaches were reported between 2019 and 2022. Of those, 7,106 ended in an investigation or informal action being taken in 2022.
Headline-hitting examples include British Airways, which was fined £20m in 2020 after hackers harvested the personal data of 400,000 website users by redirecting them to a fraudulent page.
As a small business or a sole trader, you might draw comfort from knowing your customer base is much smaller than the likes of giant companies like BA. Surely fewer customers = less risk?
Unfortunately, cybercrims aren’t picky about who they target. If they can breach the cyber defences of a small business, they will.
And seeing as GDPR rules and fines apply to all businesses who regularly process personal data, it’s probably best to do your homework on GDPR and cyber insurance.
The relationship between GDPR and cyber insurance
There’s no such thing as ‘GDPR insurance’ per se. But cyber insurance can definitely help with some aspects of GDPR-related claims.
You can be sued by a client for accidentally losing or sharing their data. However, this is sometimes covered by your professional indemnity (PI) insurance under ‘breach of confidentiality’.
There's a crucial difference between cyber and PI. Which is that PI's designed to fix problems with the service your business offers.
So, if you’ve leaked your client’s sensitive data by accidentally forwarding it to everyone in your inbox, and it’s caused them financial loss, that’s covered by your PI policy.
Where cyber insurance steps in, however, is where the data loss comes hot on the heels of a cyber breach or attack that's outside of your control. As cybercrime and cybersecurity issues can cost a lot to fix, they need their own, separate policy to cover them.
How cyber insurance helps during a data breach
The good news is, cyber insurance is designed to act fast when shouldering the cost of a GDPR-related data breach (for most of them, at least).
It does this by:
- Reporting the breach to the ICO within 72 hours of its discovery (as required by law)
- Hiring IT experts to help contain the breach, fix systems, and attempt to retrieve the stolen data
- Setting up a call centre to contact anyone affected by the breach
- Covering compensation and legal fees if you're sued for personal data loss
- Compensating you for business interruption
- Giving legal advice during ICO investigations
- PR assistance to limit damage to your reputation.
As far as preventative measures go, some cyber insurance policies go the extra mile by offering staff training programmes in GDPR and data protection.
This might cover topics like what privacy information staff are allowed to give out, as well as all the necessary procedures for dealing with a data breach when it happens.
Does cyber insurance cover GDPR fines?
This is a grey area.
Morally, there’s no definitive ‘yes’ to this question. Because if cyber insurance were a sure-fire fix for breaching data regs, what’s to stop businesses from riding roughshod over their customers’ personal data?
Practically speaking, some regulatory fines are covered and some aren’t. ICO investigations are evaluated on a case-by-case basis. So it just depends.
Where cyber insurance might not help you is where you’re a victim of cybercrime, but you’ve been so grossly negligent in securing your data that your insurer won’t cover you.
What’s more, all data breaches, regardless of their size or scale, must be reported to the ICO so they can determine whether a formal investigation is necessary.
Which is why a) having cyber insurance, and b) toeing the line on GDPR is so important. Because you can’t predict what the outcome of a GDPR breach might be. And it’s best not to find out the hard way.
Staying on top of GDPR
First, you should know what data GDPR is concerned with protecting.
There are two categories:
- ‘Personal data’ (or ‘personally identifiable data’) including names, addresses, marital statuses, job titles, etc.
- ‘Sensitive data’ including genetic, cultural, economic, and social identifiers – IP addresses, mental health information, religious and political beliefs, etc.
Once you know what kind of data you collect, you need to make sure you’re using it fairly and correctly. Also, that you have a valid reason (or ‘lawful basis’) for doing so. The ICO have a handy tool to help you check this.
You should also check your IT security measures are fit for purpose. Higher-risk and sensitive data may need more safeguarding. For example, you might have to carry out a Data Protection Impact Assessment or evaluate how your activities affect people’s individual rights.
By the way, the ICO’s small business advice hub is a fount of knowledge for all things GDPR-related. It offers tips on data protection, as well as compliance quizzes and guidance on how to respond to a data breach.
Shipshape GDPR fashion
Good data handling is something all responsible small businesses and sole traders should strive for. No one’s impervious to cybercrime, unfortunately. But learning the ins and outs of handling and storing your personal data proves to your clients, customers and the ICO alike, that you run a tight ship.
If something untoward does happen to your data, having cyber insurance helps you react quickly and confidently, minimising the chances of long-term damage to your business.
If you have any questions about GDPR and cyber insurance, you can call our team on 0345 222 5391. Or simply start a cyber insurance quote.
Image used under licence from iStock.
cyber liability insuranceGDPRmanaging riskrules and regulationsrunning a business