Alison Padfield QC looks at cyber insurance in the light of the GDPR and asks: what is it, and who needs it?
- The entry into force of the GDPR will boost the developing market for specialist cyber insurance.
- Insurers are likely to look to control their exposure.
The General Data Protection Regulation (GDPR) entered into force in English law on 25 May 2018 amid huge publicity. The reporting obligations under the GDPR include reports of serious data breaches to the supervising authority within 72 hours (Article 33) and to affected data subjects (Article 34). The GDPR also facilitates group actions (Article 80) and increases the ceiling for fines to €10m or €20m, or 2% or 4% of total worldwide annual turnover, depending on the type of breach (Article 83). Against this background of more extensive reporting obligations and the encouragement of group actions, the volume of civil claims and the number of fines imposed by the Information Commissioner’s Office (ICO) are likely to increase. Civil claims may include not only damages for financial loss, but also for non-financial loss (‘non-material damage’) such as distress
