In May 2018, the brand-new, EU-wide General Data Protection Regulation replaced the Data Protection Act. While that's undoubtedly a good thing for our collective data security, the colossal fines for non-compliance mean it could be a very bad thing indeed for some businesses.
With that risk in mind, where does your professional insurance come in? Does it cover GDPR-related claims against you? What about those colossal fines? Is there GDPR insurance or something you can buy?
Good questions, all of which have been flung our way in recent weeks.
Maybe these answers will help.
GDPR insurance Q & As:
Can I buy GDPR insurance?
Well, there isn't a specific GDPR insurance policy just for GDPR-related claims, if that's what you mean.
GDPR is concerned with how organisations keep personal data secure. You can be sued by a client for the simple act of losing their data (a breach of confidentiality, covered by professional indemnity insurance), but this would be the case whether GDPR existed or not. And whether you had insurance or not.
If you're hacked or otherwise a victim of cybercrime, and data you hold goes missing, the costs of fixing systems and recovering that data are covered by cyber insurance. Again, there's no specific GDPR red flag here unless you've breached the regs by not making sure the data was secure in the first place. That would all come out in the wash once the ICO (Information Commissioner's Office) has been notified, of course...
Does my insurance cover fines for GDPR non-compliance?
As with any set of rules and regs, it's up to you as the business owner or manager to make sure you've ticked the necessary boxes. GDPR is something your business has to comply with, not a service your business offers.
So, insurance designed to fix problems with the service your business offers (professional indemnity insurance) doesn't cover fines for regulatory non-compliance.
Considering a fine will be up to either 4% of your annual revenue or €20m, it pays to do your homework and avoid any problems in the first place.
Do I need extra cover if I'm giving GDPR-related advice?
If you're, for example, a compliance consultant whose job is simplifying and explaining rules and regs and telling other businesses how to comply with them, giving GDPR advice is fine. It's reasonable to assume confused clients will call on you at some point to help with the new legislation.
Effectively, your insurer is already covering this so you don't need any specific clauses or wordings to say 'I'm doing GDPR now'. Increasing your level of cover just in case isn't a bad idea, though.
But if, say, you're an accountant and a client asks you to make sure they're GDPR compliant, you need to make sure your policy covers it. From an insurer's perspective, an accountant's expertise is balancing the books, not giving compliance advice. Getting involved in something outside your 'core' business increases risk, makes insurers nervous, and means they're more likely to refuse to pay a claim against you.
As always, the best thing is to pick up the phone and check.
Am I liable if my client's fined for GDPR non-compliance?
Again, let's say you're either a compliance consultant or someone engaged to give advice on business rules and regs.
If your client comes to you for GDPR advice, what you tell them is wrong or incomplete, and they're fined £200,000 by the ICO as a result, they have every right to demand you pay it.
Effectively, this is professional negligence and a breach of your duty of care (legal speak for the high standard of work expected of an expert). It's exactly the kind of claim your professional indemnity insurance helps with. In this case, assuming your level cover is enough, your policy pays both your legal costs and your client's fine.
If your client hasn't specifically asked for advice, and is fined for breaching GDPR regs, they could argue your duty of care (yes, that again) means you should've at least given them a heads-up about it. That's unlikely to stand up in court, however, and they'd have a tough time arguing it out. In any case, your professional indemnity insurance pays to fight your corner.
Does having professional insurance make me GDPR compliant?
It goes without saying we're big fans of insurance and its business-rescuing benefits. But on this occasion, whether you have insurance or not won't make a difference to GDPR. The only thing that will is making sure you've ticked every GDPR box there is. Sorry about that.
So there we go. A little bleak, perhaps, and maybe a bit of a blow to discover GDPR insurance doesn't actually exist. But it's always worth knowing where you stand.
If you have more GDPR-related insurance questions, feel free to call 0345 222 5391 and ask one of the team.
Image used under license from Shutterstock.accountantscyber liability insuranceduty of carenegligencerules and regulationsrunning a business