0370 270 6000

Will fines under the GDPR be insurable?

12 December 2017
General Data Protection Regulation (Regulation 2016/679) (GDPR) will come into effect from 25 May 2018 when the present Data Protection Directive 95/46/EC will be repealed. In preparation for this, the Information Commissioner’s Office’s (ICO) recently enhanced powers mean that it can now levy fines up to the greater of either four percent of turnover or £18 million (previously the maximum was £500,000). According to analysis by management consulting firm Oliver Wyman, this means that FTSE 100 companies could face fines of up to £5 billion for GDPR breaches.

Where companies might be subject to large fines, there is increasing concern as to whether the fines imposed by the regulator will be insurable, either via a company’s professional indemnity policy or a cyber specific policy.

Current Law Society guidance is out of date and does not provide any clarity on the issue. Although the guidance issued in October 2016 stated that regulatory fines and penalties are covered by cyber insurance were insurable by law, there is no update discussing the implication of the GDPR.

Standalone cyber policies will cover fines to the extent that they are legally insurable, however European analysis indicates that this is unlikely to apply to the GDPR, particularly where criminal proceedings could be brought against those responsible.

Under English law, public policy principles enshrined in the ‘illegality defence’, in which a claimant is unable to pursue a civil claim if the claim is based on the claimant’s own illegal acts, will determine this.

In General Provision 6 (Insurance against financial penalties) of the Financial Conduct Authority Handbook, it is forbidden for any regulated firm to obtain insurance coverage against financial fines. With regulatory fines, it may depend on the nature of the act giving rise to the fine – the ICO, as regulatory body, are unlikely to impose a fine for an infringement which was entirely innocent and so regulatory fines are unlikely to be insurable where there has been some degree of negligence or culpability by the data controller.

One means of avoiding this ambiguity until case law clarifies the issue would be to insure in the Bermuda market, where regulators do not prevent regulatory fines being recovered. Its capacity, however, is currently too small and even if it were to be possible in the future, premiums for policy holders would increase.

Brokers remain the first port of call to see if any GDPR-related insurance products can benefit a business. It remains to be seen whether insurers and their agents will be ready for 2018’s changes in time.

Focus on...

Legal updates

Court of Appeal confirms exclusive English jurisdiction clause in excess liability policies in Canadian pipeline dispute

On 10 June 2022 the Court of Appeal upheld an anti-suit injunction granted in favour of insurers by Mr Justice Jacobs in September 2021 restraining proceedings from being brought in Canada and enforcing the exclusive English jurisdiction clause in excess liability policies.

View

Press releases

Browne Jacobson launches innovative legal and compliance solution for insurance intermediaries

With the fast pace of legal and regulatory changes, Browne Jacobson is launching its ‘In-house for intermediaries’ service for brokers and MGAs.

View

Broker Insight event

Catch up with our Broker Insight on-demand video. With many intermediaries looking to buy, sell or seek external investment, we explored the elements of a successful M&A transaction.

View

Published articles

'Netting zero’ #1: Climate related financial risk management: Transition risks and their management

Ahead of COP 26 in November, Browne Jacobson LLP is producing a series of articles to help insurance market – and other financial services – firms manage the compliance risks they face in relation to climate change with this article addressing issues around transition risks.

View

The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

Mailing list sign up

Select which mailings you would like to receive from us.

Sign up