Will fines under the GDPR be insurable?

General Data Protection Regulation (Regulation 2016/679) (GDPR) will come into effect from 25 May 2018 when the present Data Protection Directive 95/46/EC will be repealed. In preparation for this, the Information Commissioner’s Office’s (ICO) recently enhanced powers mean that it can now levy fines up to the greater of either four percent of turnover or £18 million (previously the maximum was £500,000). According to analysis by management consulting firm Oliver Wyman, this means that FTSE 100 companies could face fines of up to £5 billion for GDPR breaches.

Where companies might be subject to large fines, there is increasing concern as to whether the fines imposed by the regulator will be insurable, either via a company’s professional indemnity policy or a cyber specific policy.

Current Law Society guidance is out of date and does not provide any clarity on the issue. Although the guidance issued in October 2016 stated that regulatory fines and penalties are covered by cyber insurance were insurable by law, there is no update discussing the implication of the GDPR.

Standalone cyber policies will cover fines to the extent that they are legally insurable, however European analysis indicates that this is unlikely to apply to the GDPR, particularly where criminal proceedings could be brought against those responsible.

Under English law, public policy principles enshrined in the ‘illegality defence’, in which a claimant is unable to pursue a civil claim if the claim is based on the claimant’s own illegal acts, will determine this.

In General Provision 6 (Insurance against financial penalties) of the Financial Conduct Authority Handbook, it is forbidden for any regulated firm to obtain insurance coverage against financial fines. With regulatory fines, it may depend on the nature of the act giving rise to the fine – the ICO, as regulatory body, are unlikely to impose a fine for an infringement which was entirely innocent and so regulatory fines are unlikely to be insurable where there has been some degree of negligence or culpability by the data controller.

One means of avoiding this ambiguity until case law clarifies the issue would be to insure in the Bermuda market, where regulators do not prevent regulatory fines being recovered. Its capacity, however, is currently too small and even if it were to be possible in the future, premiums for policy holders would increase.

Brokers remain the first port of call to see if any GDPR-related insurance products can benefit a business. It remains to be seen whether insurers and their agents will be ready for 2018’s changes in time.

The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.