Europe’s General Data Protections Regulation (GDPR) went into effect on May 25th and has raised disruptive ripples throughout the globe. As borderless as the data it seeks to protect, the new law is shaking up businesses and their data managing practices world-wide. It has been christened as the “biggest shake-up of data privacy laws since the birth of the Internet.” Though the law functions to safeguard European citizens’ data and related privacy, any organization, in any country, is beholden to its mandates if the business possesses European data. Some companies are finding challenges in their efforts to comply. Others, along with consumers, assert praise for what is said to be an answer to long-needed legislation and transparency of data use for Europe’s citizens.
The insurance business in Europe is one industry that could potentially feel a positive bump from GDPR. The regulation, along with substantial cyber attacks such as NotPetya and WannaCry, have sparked a demand for cyber insurance in Europe. Still negotiating its way through an evolving and shifting circuity of needs and parameters, cyber insurance to-date can cover data breach consequences, such as lost revenue, IT system damage, legal costs, and reputation harm (through PR campaign reimbursement).
Now with GDPR, this could add an additional boost to cyber policy growth in the form of coverage requests for troublesome fines the new law can inflict. Many businesses have expressed concern over what they deem as too-strict directives. One such point of concern is the thin 72-hour window in which companies have to notify regulators of a breach. Failure comes with a steep non-compliance fine of 4 percent of the business’ annual revenue.
Britain is one nation currently discussing the possibility, but lawyers and insurers are uncertain of the likelihood just yet. A partner at DLA Piper law firm acknowledges, “It’s definitely a gray area.” According to a recent report conducted by the insurance broker and law firm Aon, Norway and Finland look to be the only two European countries to possibly insure GDPR fines.
A representative from Britain’s data regulator warned that organizations shouldn’t look to insurance to cover their missteps, but instead focus on compliancy to the law. The glaring purpose of the legislation is to protect citizens rights foremost, not offer organizations an “out” if they choose to sidestep the mandates within. However, the GDPR neither allows nor forbids coverage for fines.
Because of the ease with which the GDPR allows collective individuals to file class action-like suits in the event of non-compliance, there could be a pandemic demand for insurance coverage.
Though GDPR coverage would be a boon to insurance portfolios, it would greatly stymy the nucleus of the law, the very principle for which it was created. Awarding businesses reimbursement for fines they earn for neglecting the data privacy laws, negates the law itself. Where is the motivation to comply?
Though a business continuity professional would insist that a damaged reputation and customer loss should be motivation enough, the headlines prove this is not always the case.
For more insights on technology and business continuity check out our free tip sheet:
Written by Angie Longacre
As a writer for Assurance Software, Angie devotes her craft to promoting business continuity and disaster recovery awareness, and trumpeting Assurance Software’s invaluable benefits for both. When she’s not commanding the keyboard, you can find her outside for a run, searching for her next antique treasure, or lost in a good book.