Complying to the EU General Data Protection Regulation (GDPR), effective from 25 of May 2018, is currently one of the most challenging issues for many organizations. Even in the absence of a personal data breach incident, companies may face regulatory assessments resulting in fines and penalties. Moreover, companies operating on several territories, including the EU, may encounter situations interesting several jurisdictions with different legislation. How much can insurance help organization to manage this kind of operational risks?

While technological evolution enables companies to gather and manage huge volumes of information about their existing or potential customers, personal data have become a new, but very important class of assets in many businesses. Coincidentally, with GDPR, EU regulation concerning the personal data protection not only got extended scope and stronger provisions, but also provides for significantly increased enforcement powers to regulators. Shortly put, although data protection rules existed also before the GDPR, fines for a data breach were of considerable smaller values and enforcement actions infrequent.

Aon and the law firm DLA Piper have jointly released a report entitled "The price of data security - A guide to the insurability of GDPR fines across Europe". "GDPR fines can reach up to EUR 20 million, or up to 4% of a group's annual global turnover if higher," points out the report's introductory pages, adding that the "scale of these fines has understandably generated concern in boardrooms."

That being said, insurance coverage for the GDPR related financial risks that organizations face would be more than interesting and desirable. Typical cyber insurance policies - underlines the report -, only insure fines when "insurable by law", and stipulate that the insurability of fines or penalties shall be determined by the "laws of any applicable jurisdiction that most favors coverage for such monetary fines or penalties."

The Aon and DLA Piper report presents an overview of the European countries from the insurability and data regulatory tightness, as well as a series of case studies revealing the complexity that the international cyber scenarios may reach.


The current status: there is not a full superposition between the potential "GDPR risk" exposure and most of the insurance policies which are often triggered by privacy or security incidents; moreover, GDPR violations may be identified also without an actual privacy or security incident occurring (non-compliance, for example). In fact, one of the main questions arising is if GDPR non-compliance fines are insurable or not.

The answer varies from country to country, as legal rules governing insurability are often derived from public policy principles. Also, in international cases, it depends very much on the jurisdiction of choice, especially that not always parties' choice will prevail on other legal considerations.

According to the Aon and DLA Piper report, among the 30 European countries under consideration, only in Finland non-GDPR fines are insurable; in 19 countries they are non-insurable while in another 10 countries the situation is unclear.

GDPR fines are insurable in Finland and Norway, while in 20 countries such fines are clearly uninsurable. On the other hand, legal costs, other costs and liabilities following a data breach are insurable almost everywhere, except for Bulgaria and Poland, where the report's authors have market the current situation as unclear. Only 4 countries have a data regulatory environment which can be defined as "moderate": Bulgaria, Croatia, Lithuania and Malta.

In fact, in many countries where the GDPR fines were marked as uninsurable, insurance contracts covering administrative or criminal fines are not expressly prohibited, meaning that also GDPR fines may be theoretically covered by an insurance contracts. Yet, there is a high risk that contracts insuring against those fines will be unenforceable if "it is considered that the parties' intention was to avoid administrative or criminal sanctions. It is a condition of insurability that the loss was caused by circumstances beyond the control of the insured."

In conclusion, at least for the time being, insurance industry's potential contribution to managing GDPR related risks is somehow limited, especially when it comes about the non-compliance issues. On the other hand, GDPR enforcement is only in its infancy, leaving space for future developments. Lawyers will certainly have a word to say.