Phone icon
Menu icon
Professional insurance
with a personal touch
We're here to help
0345 561 0320
Local rate & mobile friendly

GDPR: your questions answered


GDPR and ePrivacy Regulations

Good Day Possibly Ruined

25 May 2018 sees the brand-new, EU-wide General Data Protection Regulation replace the Data Protection Act. While it's undoubtedly a good thing for our collective data security, the colossal fines for non-compliance mean it could be a very bad thing indeed for some businesses.

With that risk in mind, where does your professional insurance come in? Does it cover GDPR-related claims against you? What about those colossal fines? Is there GDPR insurance or something you can buy?

Good questions, all of which have been flung our way in recent weeks.

Maybe these answers will help.

What insurance covers GDPR?


Well, there isn't a specific GDPR insurance policy just for GDPR-related claims, if that's what you mean.

GDPR is concerned with how organisations keep personal data secure. You can be sued by a client for the simple act of losing their data (a breach of confidentiality, covered by professional indemnity insurance), but this would be the case whether GDPR existed or not. And whether you had insurance or not.

If you're hacked or otherwise a victim of cybercrime, and data you hold goes missing, the costs of fixing systems and recovering that data are covered by cyber insurance. Again, there's no specific GDPR red flag here unless you've breached the regs by not making sure the data was secure in the first place. That would all come out in the wash once the ICO's been notified, of course...

Does my insurance cover fines for GDPR non-compliance?


As with any set of rules and regs, it's up to you as the business owner or manager to make sure you've ticked the necessary boxes. GDPR is something your business has to comply with, not a service your business offers. So, insurance designed to fix problems with the service your business offers (professional indemnity insurance) doesn't cover fines for regulatory non-compliance.

Considering a fine will be up to either 4% of your annual revenue or €20m, it pays to do your homework and avoid any problems in the first place.

Do I need extra cover if I'm giving GDPR-related advice?


If you're, for example, a compliance consultant whose job is simplifying and explaining rules and regs and telling other businesses how to comply with them, giving GDPR advice is fine. It's reasonable to assume confused clients will call on you at some point to help with the new legislation. Effectively, your insurer is already covering this so you don't need any specific clauses or wordings to say 'I'm doing GDPR now'. Increasing your level of cover just in case isn't a bad idea, though.

But if, say, you're an accountant and a client's asked you to make sure they're GDPR compliant, you'll need to make sure your policy covers it. From an insurer's perspective, an accountant's expertise is balancing the books, not giving compliance advice. Getting involved in something outside your 'core' business increases risk, makes insurers nervous, and means they're more likely to refuse to pay a claim against you. As always, the best thing is to pick up the phone and check.

Am I liable if my client's fined for GDPR non-compliance?

Potentially, yes.

Again, let's say you're either a compliance consultant or someone engaged to give advice on business rules and regs.

If your client comes to you for GDPR advice, what you tell them is wrong or incomplete, and they're fined £200,000 by the ICO as a result, they have every right to demand you pay it. Effectively, this is professional negligence and a breach of your 'duty of care' (legal speak for the high standard of work expected of an expert). It's exactly the kind of claim your professional indemnity insurance helps with. In this case, assuming your level cover is enough, your policy pays both your legal costs and your client's fine.

If your client hadn't specifically asked for advice, and was fined for breaching GDPR regs, they could argue your duty of care (yes, that again) means you should've at least given them a heads up about it. That's unlikely to stand up in court, however, and they'd have a tough time arguing it out. In any case, your professional indemnity insurance pays to fight your corner.

Does having professional insurance make me GDPR compliant?


It goes without saying we're big fans of insurance and its business-rescuing benefits. But on this occasion, whether you have insurance or not won't make a difference to GDPR. The only thing that will is making sure you've ticked every GDPR box there is. Sorry about that.

So there we go. A little bleak, perhaps, but it's always worth knowing where you stand.

If you have more GDPR-related insurance questions, feel free to call 0345 222 5360 and ask one of the team.


If you liked this, you might like thesethis...

Why insurance is a clever step for dance teachers
A compensation claim for injury, damage or alleged poor teaching can easily leave you dancing to someone else's tune. Dance teacher insurance can help.
Is it worth going into IT contracting? Or better to stay employed?
If you're thinking of jacking in your perm job and going into IT contracting, there's plenty of demand. But there's a few things to think about too.
Impact of long working hours on IT professionals and ways to cope with stress
IT professionals work extremely long hours. How is this affecting their health and daily lives? And how can they manage stress?

More Advice, News & Know-how

Sign up to being prepared and protected

Get reliable advice on protecting and fine-tuning your business or charity sent straight to your inbox. Plus, receive other occasional bits we think you'll enjoy, like competitions and offers. We promise not to swamp you, and you can unsubscribe easily.

Sign me up