What you need to know when you're applying the upcoming GDPR changes to your business...
Unless you’ve been stranded on a desert island for the last few months you’ll probably have seen these 4 letters on countless emails and, frankly, plastered all over the place. Heralded with as much fanfare and hype as the millennium bug, what are the implications of GDPR (the General Data Protection Regulation) for your organisation beyond potential changes to your data processing activity, including marketing; and the beefing-up of your cyber security?
Applying GDPR to your own organisation
There are countless whitepapers and blog posts out there to help you with high-level considerations as you face the task of achieving compliance with these new Data Protection rules which come into effect on 25th May 2018. The data regulator itself, the Information Commissioner’s Office (ICO), has plenty of useful resources and guidance on its website too. However, you’ll have spotted that there’s very little specific advice about how the new regulations will apply in real terms to your industry. What’s more, you’ll have to work out for yourself what you need to do within your individual organisation to meet compliance.
You’ll be keen to ensure you’ve implemented the relevant policies, systems and controls in time for the deadline but what if you do get something wrong along the way or at some point later? What if, despite your best efforts, you suffer a data breach or someone accidentally leaves that infamous laptop on a train?
A quick word about penalties for failures and breaches
The ICO has the power to issue fines of upto €20m or 4% of global turnover if there’s a holding company (whichever is the greater) for the major breaches under GDPR. For more minor breaches both those figures are halved.
Get your insurers involved
As part of your GDPR preparations you’ll want to include a conversation with your business insurance provider about the indemnity limits under your Cyber Liability cover to make sure you keep in-step with the financial exposure. It’s a relatively new and widely underrated area of insurance but one that will gain ever more prominence as our reliance on technology in-particular evolves. Any insurance expert worth their salt should be able to exhibit a sound understanding of Cyber Liability cover and have a pragmatic approach when relating the risks to your business.
In short, Cyber provides the protection you’d need following a data loss or security breach. It covers things like the costs of forensic investigation, data recovery, PR & reputational damage limitation, losses to third parties as a result of the breach and even the defence costs of an ICO investigation and, crucially, any resulting civil fine.
A full explanation of the main heads of cover typically provided under a Cyber Liability policy
Costs your business may incur as a result of an incident
Breach Costs - Practical support in the event of a data breach (electronic or otherwise) including forensic investigations, legal advice, notifying customers or regulators, and offering support such as credit monitoring to affected customers.
Crisis Containment - In the event of a data breach, prompt, confident communication is critical to help minimise the damage to a company’s reputation. A leading public relations firm is engaged who can provide expert support, from developing communication strategies to running a 24/7 crisis press office.
Cyber Business Interruption - Compensation for loss of income, including where it is caused by damage to your reputation, if a hacker targets your systems and prevents your business from earning revenue. How else would you survive this type of catastrophe?
Cyber Extortion - Protects you if a hacker tries to hold your business to ransom with any final ransom paid, as well as the services of a leading risk consultancy firm to help manage the situation.
Hacker Damage - Reimbursement for the costs of repair, restoration or replacement if a hacker causes damage to your websites, programmes or electronic data.
Amounts you may be liable to pay to other parties
Privacy Protection - Pays to defend and settle claims made against you for failing to keep customers’ personal data secure including the costs associated with regulatory investigations and settlement of civil penalties levied by regulators where allowed.
Multimedia Liability - The policy includes protection if you mistakenly infringe someone’s copyright by using a picture online for example, or inadvertently libel a third party in an email or other electronic communication.
Additional cover options
Cyber Crime - Covers direct financial loss following an external hack into your company’s computer network. This could be theft of money, property, or your digital assets.
Telephone Hacking - Pays the costs of unauthorised telephone calls made by an external hacker following a breach of your computer network; includes traditional fixed-line telephony systems, as well as online systems (VoiP, Skype, etc).
If you’re confident your IT systems are secure…
…think about Carphone Warehouse, TalkTalk and the other large corporations like them that have entire departments devoted to IT security but who still suffered a data breach. You have to consider that it’s also often the human error element that lets the side down - employees cleverly targeted by criminals and tricked into revealing information, files accidentally left in public spaces, security patches not installed, a rogue employee with a grudge or the desire to sell client data for their own profit.
“I don’t know where to start and my insurance provider hasn’t given us much advice.”
If this is the first you’ve heard of the GDPR changes you might like to check out the ICO’s Data Protection Self-Assessment Toolkit as a starting point. Thereafter, if you need any help with marrying your cover levels to the risks highlighted we’d be delighted to arrange that for you. Rest assured that it’s not just the organisations with deep pockets that can afford Cyber Liability cover.
Your customers want to be sure that you’re treating their data seriously, safely and securely. So aside from looking at how a data breach might affect your ability to operate, consider how it might affect them. Then give some thought to how you’ll defend yourself and reimburse them if you do, in all innocence, cause your customers a financial loss. How will you manage the loss of reputation that would bring? How will you survive any downtime? Cyber Insurance is one big, easy answer.
Chris Knott Business Insurance QUOTELINE: 0800 917 2274
To be the first to receive information like this in the future, plus occasional offers from Chris Knott, please subscribe to our updates - we promise not to overdo it and you can unsubscribe again at any time.