The US is one of the biggest markets for cyber insurance, but you won’t be able to take out a policy protecting you from fines for breaches of the EU General Data Protection Regulation (GDPR). The law, which strengthens EU residents’ rights relating to their personal data, applies to all organizations that collect or process such information, including many in the US.
Insuring against fines would have been a massive boon for organizations, as the GDPR gives supervisory authorities the power to issue penalties of up to €20 million (about $24.4 million) or 4% of an organization’s global annual turnover, whichever is greater. US organizations that are subject to the Regulation must elect one of the EU member states’ supervisory authorities. However, it seems that no matter which member state an organization chooses, its laws don’t allow for insurance against GDPR fines.
Many data protection experts assumed this would be the case, but with the GDPR now in effect, it has been all but confirmed. Aon’s guide, The price of data security, found that almost all European countries prevent organizations from insuring against GDPR fines. The only exceptions are Finland and Norway.
The good news is that large fines will be much less common than many people have predicted. In most cases, supervisory authorities will only issue fines if other disciplinary action isn’t deemed suitable. Even if fines are necessary, the maximum penalty will be reserved for flagrant or repeated violations of the Regulation.
Insuring against breaches
Although it’s generally not possible to insure against fines, organizations can insure against other damages related to the GDPR. Depending on the circumstance of the violation, cybersecurity insurers will recompense organizations for the cost of:
- Legal fees
- Regulatory investigations
- Incident response
- Hiring a public relations firm to mitigate reputational damage
- Notifying and compensating affected data subjects
A small number of organizations have already taken out GDPR insurance, but such policies are expected to become more popular in the coming months. This will be partly a result of more people becoming aware of the GDPR and the repercussions of data breaches, but it will also be a logical next step for organizations once they are fully compliant with the Regulation.
Few organizations currently meet all of the Regulation’s requirements, so their attention is probably focused on compliance rather than insurance. In any event, insurers wouldn’t provide coverage to an organization that couldn’t prove that it had put the appropriate defenses in place. To demonstrate compliance, it’s necessary to document your security policies and the steps you’ve taken to protect personal data. This ensures that you have best practices in place and that employees are following them. Some documentation, such as privacy notices, is essential for informing customers of your compliance measures.
It can be difficult to know where to begin when creating documentation, particularly if you’re part of a large organization with many objectives, contacts, and responsibilities. That’s where our EU General Data Protection Regulation (GDPR) Documentation Toolkit comes in.
This toolkit has been designed and developed by expert GDPR practitioners, and has been used by thousands of organizations across the globe. It includes:
- A complete set of easy-to-use and customizable documentation toolkits, saving you time and money in your compliance preparations
- Dashboards and project tools to make sure you cover every documentation requirement
- Direction and guidance from GDPR experts
- Two licenses for the GDPR Staff Awareness E-learning Course