The 25th May 2018 creeps up on us. On this day both the UK and Europe will see initiation of the General Data Protection Regulations (GDPR), which intends to strengthen and unify data protection for all European Union (EU) based citizens.
This change will see implementation of new rights surrounding personal data, how it is accessed, used, and stored, with significant changes to consent and associated exemptions. Personal data can only be processed with active consent, and not via ‘box-ticking’. Organisations must make it easy for clients to withdraw their approval if desired, and in the event of a data breach, data subjects must be informed within 72 hours of the cyber-attack. Additionally, the definition of personal data has been extended to include IP addresses and mobile IDs.
Cyber-attacks are becoming increasingly prevalent, compromising the data of innocent individuals who put their ‘protection faith’ in you. Post GDPR roll-out, organisations must assume an elevated level of responsibility for customer data and will need to have measures in place to protect it with the highest integrity. Implementation of the best software, superior staff training methods, and appropriately built firewalls are all promoted where cyber-attack prevention in concerned, but every organisation carries ‘people risk’, and so, what if your safeguards fail?
A cyber insurance policy acts as your safety net, essentially providing a pre-paid solution to:
- Restore your systems
- Advise on what needs to be done
- Notify data subjects
- Fund regulator fees where permissible
- Reimburse damages and costs arising from claims against you
There is much speculation with regards to the insurability of fines issued by the ICO in association with GDPR. Judgement on the insurability of these fines come down to whether the infringement is considered by the ICO as an unlawful act that was intentional, unintentional, or because of negligence. Unintentional infringements are unlikely to result in fines, they are much more likely to be enforced if the ICO have evidence of negligence to some degree through the non-adherence of codes of conduct, or the poor implementation of required procedures. Where the ICO issues fines for failing to comply with regulation, these are likely to be uninsurable by law. ICO penalties are wholly avoidable if you abide by the correct procedures and seek guidance from your broker.
Seeking guidance from your broker will help you assess your operational vulnerabilities and guide you towards a cyber policy that meets your needs.
Is your business equipped for GDPR? Are you concerned about future threats caused by cyber-attacks to you and your business? For more information on anything raised in this article or to discuss your cyber and business insurance needs, please contact Hugh J Boswell on 01603 626155