Business insurance holders need to be sure that they have fully prepared for the new General Data Protection Regulations (GDPR), which took effect on May 25, 2018.
This warning follows research carried out by OnePoll, which found that only 27.6% of business insurance holders believed their operations to be compliant with GDPR.
Given that the poll was carried out only a few days before the new regulations came into force, it does not bode well for the many businesses who must make sure that they are GDPR-compliant in order to meet their legal obligations.
Of course, one area that businesses insurance holders will need to address is their cyber insurance cover because it is likely that, for many, their pre-GDPR policies will prove inadequate for the new regulatory requirements.
Although most business have been making sincere attempts to meet their cyber security insurance obligations, many are doing it too late or are confused by the new and more stringent data protection rules.
Business owners that are in any doubt at all about the scope of their policies in relation to their GDPR obligations should speak with their business insurers as a matter of priority. Not only can the right cyber business insurance provide the reassurance of cover, but it can also help with matters such as legal advice, should it be needed.
That said, speaking with a business insurer alone is unlikely to be enough for businesses. GDPR is clearly complex and challenging, and even now both businesses and their individual clients are struggling to work out what the impact will be moving forward.
The business insurance industry certainly has a role to play, however, as it can use policies and advice to mitigate risks, particularly in relation to cyber insurance, which, although increasingly important pre-GDPR, now sits at the forefront of ensuring cover in the event that data privacy compliance, cyber security, and internal risk management fail and result in some kind of breach or form of damage or loss.
From May 25, businesses that experience a data breach will be required to notify the Information Commissioner’s Office within 72 hours. If this does not happen, significant penalties could apply, including fines and prosecution.