[Skip to content]

Sign up for our daily newsletter
The Actuary The magazine of the Institute & Faculty of Actuaries

Firms warned of limited insurance coverage for GDPR fines

There are just a few jurisdictions in the EU where fines imposed under incoming General Data Protection Regulation (GDPR) can be covered by insurance, with Finland and Norway the only definite exceptions.

Limited insurance coverage against GDPR fines ©iStock
Limited insurance coverage against GDPR fines ©iStock

That is according to a new guide published by Aon, which shows that GDPR fines are generally not regarded as insurable in 20 of the 30 reviewed EU member states, including the UK, France and Italy.

It is unclear what the rules are in eight of the countries studied, with specific details regarding the conduct of the insured and whether the fine is classed as criminal, needing to be considered.

“GDPR will expose organisations to significantly higher risks related to how they manage and store personal data,” Aon Cyber Solutions EMEA chief commercial officer, Vanessa Leemans, said.

“Data breaches, and other cyber events, could see businesses face both major fines and extensive costs. It is therefore essential that organisations fully understand where their exposures lie.”

GDPR comes into force in just eight days time, and is designed to harmonise data privacy laws across Europe, giving extra protection to citizens’ data privacy, and applies to all firms that do business inside the EU.

Breaches can hit institutions with fines of up to 2% of their previous year’s global annual revenues for a first offence, and 4% for repeat offences, while criminal penalties are also possible.

Organisations may also face damage to both their reputation and market position if impacted by a high-profile data breach.

Aon said that, although insurability against GDPR fines is limited, businesses would still be able to get protection against the resulting business disruption associated with non-compliance.

Such costs could include legal fees and litigation, regulatory investigation, remediation and other costs connected with compensation and notification to impacted data subjects.

“They should work closely with their insurance partners to ensure they have an appropriate risk transfer solution and incident response plan in place,” Leemans added.

Sign up to our free newsletter here and receive a weekly roundup of news concerning the actuarial profession