We still have a problem with data protection
Although GDPR has been in force for more than four years now, there are still quite a few companies making basic mistakes in applying the regulations. Is it possible to insure against their consequences? Yes, with the help of cyber insurance and D&O insurance.
For most people, it seems that the most ‘erroneous’ issue is the use of the data collected and how the data subjects are notified about how the data are being processed. However, it turns out that we also have a lot of problems with the complete basics.
We rely on the old rules
Many companies still apply rules derived from the Security Policy and IT System Management Instructions, and these are rules which date back about 15 years and are not in line with RODO! Moreover, the way all data, including personal data, is stored and processed has changed drastically since then. Today, all processes have become digitalised. This means that we face a different type of risk of their leakage, which, in addition, is much higher than in the days when paper was in dominance. In this situation, cyber security plays a crucial role.
We misinterpret the definition of personal data
Here again, we cannot ‘wean ourselves off’ the old rules. Previously, only identifying information was considered personal data. According to the definition set forth in the GDPR, personal data is all information about an identified or identifiable natural person. This means that it is not only about name, surname, date of birth, gender and the like. Personal data include also, for example, information about properties or vehicles owned. And also photos and tags posted on social networks!
We process personal data unlawfully
Mistakes also made as a result of formal complexities. In order for data processing to be lawful, it must comply with the conditions set forth in specific articles of the GDPR – 6 and 9. Where, then, can mistakes be made? By applying them separately. Article 6 is the basis and Article 9 only supplements it in the case of specific, so-called “sensitive” data.
Insurance as a lifeline?
Cyber insurance is the backbone. Among other things, it allows for a payout to cover the costs associated with securing and restoring digital assets if a leak occurs as a result of a hacking attack or human error. More importantly, however, the assumption behind the insurance is that is covers the costs of the actions required to be taken under the GDPR provisions, i.e. carrying out an information campaign among potential victims of a leak. In addition, it provides for reimbursement of the costs associated with administrative and judicial proceedings and the payment of damages. In general, a cyber policy may also include coverage of fines imposed under the GDPR.
A well-designed protection scheme should include yet another type of policy – D&O, or Directors’ and Officers’ liability insurance. After all, irregularities in records keeping, personal data defining and processing of data in accordance with legal regulations are usually the result of an inappropriate decision made by a specific individual. The company’s owners or shareholders may therefore bring claims against the decision-makers whom they want to hold accountable for their losses. For example, they may expect to be reimbursed for administrative fines or compensated for other damages resulting from a GDPR incident. And a D&O insurance will ensure that the managers held ‘liable’ are covered for defence costs and other losses if these are indeed found to result from negligence.
Author: Szymon Bąk, Cyber Insurance Specialist from EIB S.A.
Last Updated on October 24, 2022 by Anastazja Lach