Retailers urged to check their insurance in advance of GDPR countdown

As retailers now have less than one month to prepare for new General Data Protection Regulation (GDPR) coming into effect on May 25 2018, insurer NFU Mutual is advising businesses to check whether their insurance cover would protect them with legal support in the event of a data protection breach.

The insurer advises that defending legal action from regulatory bodies as a consequence of a breach could be covered as part of specialist business insurance, such as Director’s and Officer’s (D&O) and Cyber cover. Fines issued in court for a GDPR breach can reach up to €20million, or 4% of turnover whichever is the greater, regardless of the size of the company.

NFU Mutual business insurance specialist Barney Hatcher said: “It’s very difficult to hypothesise about how GDPR will affect businesses until the new law comes into effect, and each claim and case is different. However, as long as there has been no determination of intentional and/or, gross negligence of the law, a good D&O or Cyber insurance policy should include cover to defend a case against a regulatory body such as the Information Commissioner’s Office (ICO), so we would urge retailers to check their policy wording. Of course, the client can’t be complacent with GDPR and needs to take steps to ensure they are compliant, but it may be reassuring to have legal help within reach if a genuine mistake is made.

“There are also other ways in which an insurer could support. For instance once initiated by the policyholder, Cyber cover can pick up the task of informing the ICO of a breach of personal data within the required 72-hour period, as well as covering for individual compensation claims as a result of data loss. D&O and Cyber policies also often include the support of a PR agency to manage reputational impact.”

Reports in the media claim that there is some disparity and confusion in the way that GDPR is currently being handled by businesses and that many may be noncompliant.

Barney continued: “In very simple terms, there are two main aspects of GDPR changes for businesses to consider. Making sure that they tell people what they are doing with the data that they hold about them in a clear and simple way, and making sure that people understand and have consented to marketing activity where appropriate.

“If businesses are confused about GDPR they should visit the ICO website. For insurance purposes it’s important that businesses evidence the steps that they are taking to become GDPR compliant, which is something we would look for in the event of a claim.”

GDPR in a nutshell:

GDPR rules come into force on May 25 2018.

The new rules mean that personal data (ranging from bank details to IP addresses) will need to continue to be handled lawfully, carefully and transparently by businesses in the interests of protecting consumers.

The legislation applies to the data of all individuals that a business holds (including non-customers) and applies to all businesses that handle data in any way – whether that is on a till point checkout, on social media, or in an e-newsletter. The risks of non-compliance are severe, with fines of up to €20million, or 4% of turnover (whichever is the greater), regardless of the size of the company.

For more information about GDPR, businesses should refer to the Information Commissioner’s Office website, where they will find guidance and toolkits to assess readiness or seek specialist advice and support – www.ico.org.uk/for-organisations/business/.