Is your senior team covered for GDPR breaches?
JUST when you thought it was safe to return to the business pages, I'm afraid this is another GDPR piece! The aim, though, is not more technical jargon, but to provide a few thoughts that could safeguard your business, and its directors and officers from a financially painful experience.
For those of us of a certain vintage, parallels have been drawn between GDPR and the Y2K preparations of 1999. The issue then was to avoid dire predictions that the Millennium Bug would end life as we knew it.
As it transpired, the ‘Bug' was one of the most over-hyped phenomena of recent times. Few computers failed, life didn't end, and levels of cynicism ratcheted up several points.
GDPR is different though. It's not a hypothetical problem - it is a regulatory requirement with guidelines set out by the Information Commissioner's Office (ICO) and can have serious implications for businesses if the law is not adhered to.
To date, the ICO has taken a measured stance. Innocent oversights, at least in the short term, are unlikely to bring financial ruin, but flagrant disregard will be punished and businesses will fall foul of GDPR's eye-watering fines.
Much has been written about those fines, but less has been said about other sources of GDPR risk.
Company directors and officers have duties relating to good governance and management. Failings on their part could leave them exposed to fines, legal costs and damages. Breach of personal data under GDPR is now another area of risk and the insurance industry is predicting a spike in claims over such incidents. This could be individuals bringing claims for damages (e.g. distress) due to a GDPR breach or even class actions. It is also worth checking what type of cyber cover is in place for your business. Recently, 5,500 Morrisons staff successfully brought an action against their employer because an employee maliciously leaked personal data online.
Given its technical nature some directors and officers may have mistakenly delegated GDPR preparations without too much thought. Given the scope for regulatory or civil action, these preparations should have highlighted how the potential personal liabilities of directors and officers are covered. Is there, for example, insurance in place to address legal costs or reputational damage?
Businesses should have provision through directors and officers insurance, and professional indemnity insurance. It is, however, a complex issue and one that you should discuss as a matter of urgency with your insurance broker, as although these will cover investigation costs, neither will cover fines, should your company be found to be non-compliant.
There can be a fine distinction between activities carried out as a director / officer and those conducted as a professional, and it may be that there are 'gaps' in your cover. Wording can differ from policy to policy and a discussion with your insurer on the cover available in light of GDPR is recommended. You should also take advice on what an appropriate level of cover is and the value of ‘run-off' clauses to protect directors once they leave the organisation.
Clearly the first line of GDPR defence is to ensure that all reasonable measures have been taken to protect consumer data and safeguard against breaches. Not to have adequate insurance provision in place as well, however, could present a serious financial exposure.
:: Michael Blaney is the managing director of Autoline Insurance Group (www.autoline.co.uk)