In May 2018, the brand-new, EU-wide General Data Protection Regulation replaced the Data Protection Act. The UK government then replicated GDPR into UK law after Brexit, after which it became known as ‘UK GDPR’.
Now, UK GDPR is a wide-ranging regulation that sets the rules for any UK company that stores, collects, or processes individuals’ personal data.
While that's undoubtedly a good thing for our collective data security, the colossal fines for non-compliance mean it could be a very bad thing indeed for some small businesses.
With that risk in mind, where does your professional insurance come in? Does it cover UK GDPR-related claims against you? What about those colossal fines? Is there UK GDPR insurance or something you can buy?
Good questions, all of which have been flung our way in recent weeks.
Maybe these answers will help.
UK GDPR insurance Q & As:
Can I buy UK GDPR insurance?
No.
Well, there isn't a specific UK GDPR insurance policy just for UK GDPR-related claims, if that's what you mean.
UK GDPR is concerned with how organisations keep personal data secure. You can be sued by a client for the simple act of losing their data (a breach of confidentiality, covered by professional indemnity insurance), but this would be the case whether UK GDPR existed or not. And whether you had insurance or not.
If you're hacked or otherwise a victim of cybercrime, and data you hold goes missing, the costs of fixing systems and recovering that data are covered by cyber insurance. You'll get legal advice and PR assistance throw in, too, to help you manage your reputation.
Again, there's no specific UK GDPR red flag here unless you've breached the regs by not making sure the data was secure in the first place. That would all come out in the wash once the ICO (Information Commissioner's Office) has been notified, of course...
Cyber insurance helps notify them and gives you legal advice during the whole process.
Does my insurance cover fines for UK GDPR non-compliance?
No.
As with any set of rules and regs, it's up to you as the business owner or manager to make sure you've ticked the necessary boxes. UK GDPR is something your business has to comply with, not a service your business offers. While cyber insurance can only help with the technical, PR, and legal side of things following a data breach caused by cybercriminals – and not with UK GDPR-related fines.
So, insurance designed to fix problems with the service your business offers (professional indemnity insurance) doesn't cover fines for regulatory non-compliance.
Considering a fine will be up to either 4% of your annual revenue or €20m, it pays to do your homework and avoid any problems in the first place.
Do I need extra cover if I'm giving UK GDPR-related advice?
Depends.
If you're, for example, a compliance consultant whose job is simplifying and explaining rules and regs and telling other businesses how to comply with them, giving UK GDPR advice is fine. It's reasonable to assume confused clients will call on you at some point to help with the new legislation.
Effectively, your insurer is already covering this so you don't need any specific clauses or wordings to say 'I'm doing UK GDPR now'. Increasing your level of cover just in case isn't a bad idea, though.
But if, say, you're an accountant and a client asks you to make sure they're UK GDPR compliant, you need to make sure your policy covers it. From an insurer's perspective, an accountant's expertise is balancing the books, not giving compliance advice. Getting involved in something outside your 'core' business increases risk, makes insurers nervous, and means they're more likely to refuse to pay a claim against you.
As always, the best thing is to pick up the phone and check.
Am I liable if my client's fined for UK GDPR non-compliance?
Potentially, yes.
Again, let's say you're either a compliance consultant or someone engaged to give advice on business rules and regs.
If your client comes to you for UK GDPR advice, what you tell them is wrong or incomplete, and they're fined £200,000 by the ICO as a result, they have every right to demand you pay it.
Effectively, this is professional negligence and a breach of your duty of care (legal speak for the high standard of work expected of an expert). It's exactly the kind of claim your professional indemnity insurance helps with. In this case, assuming your level cover is enough, your policy pays both your legal costs and your client's fine.
If your client hasn't specifically asked for advice, and is fined for breaching UK GDPR regs, they could argue your duty of care (yes, that again) means you should've at least given them a heads-up about it. That's unlikely to stand up in court, however, and they'd have a tough time arguing it out. In any case, your professional indemnity insurance pays to fight your corner.
Does having professional insurance make me UK GDPR compliant?
No.
It goes without saying we're big fans of insurance and its business-rescuing benefits. But on this occasion, whether you have insurance or not won't make a difference to UK GDPR. The only thing that will is making sure you've ticked every UK GDPR box there is. Sorry about that.
So there we go. A little bleak, perhaps, and maybe a bit of a blow to discover UK GDPR insurance doesn't actually exist. But it's always worth knowing where you stand. And that cyber insurance can help with at least some of the technical and legal aspects of UK GDPR-related claims.
If you have more UK GDPR-related insurance questions, feel free to call 0345 222 5391 and ask one of the team.
Image used under license from Shutterstock.
accountantscyber insurancecyber liability insuranceduty of careGDPRnegligencerules and regulationsrunning a business