As an American company, you might not be thinking about what’s going on in the European Union, but there’s some regulations implemented that you should be aware of. The General Data Protection Regulation (GDPR) is a regulation on data protection and privacy for those in the EU and the European Economic Area. If you’ve been collecting personally identifiable information (PII) on customers since May 25 of this year, then there’s going to be some regulations involved.
As we've learned from recent studies and reports, not all cyber insurance covers GDPR fines, so it’s important to check your policy and see what’s covered; that way you can know what additional coverage you’ll need to get. Even if you do very little business in the EU, having coverage is absolutely essential. This is the need to know on GDPR and the fines that come with it, as well as what you may need to consider regarding your insurance coverage.
Who GDPR Applies To
The GDPR goes much farther than the EU. But according to an analysis conducted this summer by Aon, GDPR fines were found to only be insurable in two countries, Norway and Finland, out of 30 countries surveyed. In 20 of 30 areas surveyed, GDPR fines would not be insurable at all, the survey found. With that in mind, it’s important to get yourself covered if you can. GDPR applies to:
- Organizations established in the EU that are intaking personal data through establishment activities no matter where the processing takes place;
- Organizations not established in the EU that sell goods back and forth to the EU or monitor EU data;
- Data controllers not established in the EU but happen to be in a place where member state law applies through public international law, though this is rarely applicable.
Is My Business Affected?
So the GDPR can apply to a business not directly established in the EU. But do the regulations apply to your business? Ask yourself these questions:
- Does my business hold establishment in the EU?
- Do we offer good and services to the EU, even if we are not established there?
- Do we “monitor” EU data subjects?
What’s Not Covered?
If these regulations entered effect in May, why are we bringing this up now? Marsh released a new report this month finding that the insurability of GDPR fines largely depends on the laws implemented by the government. But in the US, things might be domicile, influencing the ability to recoup fines and penalties. Marsh found that most cyber policies in the US are triggered by cyber incidents and cover legal advice, forensics and data subject notifications; these policies are not meant to cover fines and penalties pertaining to organizational privacy practices and compliances.
While some carriers will provide coverage on a case-by-case basis, many often require a mountain of paperwork to make it happen. Additional exclusion waivers might be needed. Axis Insurance can help you get coverage for GDPR fines.
About Axis Insurance
At Axis Insurance Services, we aim to help our customers identify their exposures and protect themselves. Founded in 1999, we offer insurance programs to a wide variety of professionals and industries including attorneys, real estate, healthcare, architects, and more, and also have a wholesale division. We pride ourselves on offering flexible insurance coverage tailored specifically to each customer’s needs. To learn more about our solutions, contact us at (201) 847-9175 to speak with one of our professionals.
