Three months after enactment of the EU General Data Protection Regulation (GDPR), a primary question for many organizations is how the costs of compliance and non-compliance will interplay with their insurance policies. Fines and penalties are top of mind due to their potential size, variance according to local law, and the issue’s resonance with key stakeholders.
Insureds are asking: “Will my insurance policy respond in the event we are faced with a fine or penalty?” Marsh’s view is that currently the answer is more grey than a black or white certainty in most markets.
Key factors in answering the insurability question will likely include:
- Specifics of insurance contracts: Which policies might provide coverage? Do they expressly provide or preclude coverage? Choice of law provision in the policy.
- Decisions by courts in relevant jurisdictions, once the issue enters the legal system.
- Nature of the fine or penalty – civil or criminal – and how egregious the non-compliance.
Any consideration of insurability must begin with the insurance contract as the foundation for coverage and recovery outcomes. Organizations should work with their advisors to understand how their policies might respond and, where possible, seek to add policy wording that provides the best chance at recovery in the event of GDPR non-compliance.
Contact your Marsh representative to discuss the risk implications of the GDPR for your organization.