As your inbox will no doubt demonstrate, the General Data Protection Regulation (GDPR) is upon us. Very few organisations are sufficiently confident to say that they will be ready and fully compliant. The ramifications of breaching the GDPR are potentially very serious. Organisations found to have committed serious breaches of GDPR risk fines of up to €20m or 4% of global annual turnover (fines are linked to revenue not profit), whichever is higher.
The UK regulator - the Information Commissioner's Office (ICO) - will take into account a number of factors when determining whether to impose a fine, the level of the fine and/or whether other penalties should be imposed. These factors will include the nature, gravity and duration of the infringement; whether the infringement is deliberate and/or negligent; the nature of personal data involved; and the way in which the ICO became aware of the infringement, e.g. whether the ICO was notified promptly. It will also take into account whether previous infringements have occurred; what the organisation has done to mitigate the effect of and/or remedy the infringement; and the degree of co-operation following infringement.
The ICO has repeatedly said that the enforcement approach will be "carrot over stick" – in an August 2017 blogpost, the Commissioner said "it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm…The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR".
In addition to the risk of fines from the ICO, there are also a number of criminal offences (most of which applied under the previous data protection law) and the risk of individuals bringing claims for damage (including distress) suffered as a result of a breach of the GDPR. An example of such a claim under the current law is the class action claim brought by a number of employees against Morrisons for a malicious data breach by one of its employees.
Businesses of all sizes are understandably anxious. But a head in sand approach will not work. Aside from proactively taking steps to ensure compliance, organisations need also to consider the age-old way of transferring risk: insurance.
In terms of insurance and the position in the UK, there are two principal issues worth considering: (i) the extent to which ICO administrative fines are insurable; and (ii) the extent to which other costs flowing from alleged breaches of the GDPR are insurable:
- Insurance of administrative fines: the starting point is that in the UK, for reasons of public policy, insurance is not available to indemnify insured organisations against fines imposed for criminal conduct. Fines for criminal conduct are designed to have a deterrent and penal effect. The ability to insure against such fines would negate their very purpose and run contrary to public policy. Legal authority in which this principle has been discussed suggests that the principle could extend to apply to non-criminal conduct also, in the event that the relevant conduct can be regarded as reprehensible.
Given the factors that the ICO is likely to take into consideration when deciding the level of fine to impose, it seems reasonable to predict that fines are less likely to be imposed in circumstances where the infringement is wholly innocent. Adopting that reasoning it follows that, conversely, fines are more likely to be imposed where the infringement is found to be intentional and flagrant. Such conduct may well be considered by the ICO as justification for the imposition of civil penal sanctions in the form of hefty fines, not least to demonstrate a willingness to protect the public interest. The protection of public interest must be high on the ICO's agenda and must, therefore, be inextricably linked to the imposition of fines, for deterrent and penal reasons (as is the case for criminal conduct). ICO administrative fines are unlikely to be insurable in the UK.
- Insurance of costs flowing from GDPR infringements: this is where an organisation's insurance could be key. Here, insurance will be available to indemnify insureds against, for example: legal costs of investigating alleged GDPR breaches; legal costs of dealing with the defence of proceedings arising out of alleged breaches; losses relating to business interruption resulting from, for example, bans on processing of data; costs associated with remediation; and, importantly, costs incurred in mitigating reputational damage. Similar types of costs are insured currently under a range of different policies, such as directors' and officers' insurance, which are of utmost importance in terms of covering costs relating to internal and regulatory investigations.
Now is the time for organisations to analyse the insurance cover that they have in place and to assess whether they need additional cover to protect themselves, insofar as is legally permissible, against the risks associated with the new GDPR regime.