• Most EU countries don’t allow insurance to cover new privacy law’s costly fines • Companies can get insurance to cover other privacy, cybersecurity risks

Companies faced with fines under the European Union’s new privacy regime are unlikely to lower their financial risk by buying insurance to cover the costs.

The General Data Protection Regulation (GDPR), taking effect May 25, is aimed at giving consumers more control over how their personal details are used. Businesses that don’t follow the GDPR’s protections could face fines as high as 4 percent of annual worldwide revenue or 20 million euros ($23.5 million), whichever is higher.

The GDPR applies worldwide to any company that collects or processes data on EU subjects. They’ll have to report data breaches within 72 hours, and collect or process data in the most transparent way possible. For individuals, the GDPR creates a personal right to erase data.

For many companies, buying insurance may seem like a natural solution. But policies may not be available, or may not cover GDPR enforcement fines.

Rules in individual EU member countries, including the U.K., France, Italy, and Spain, prohibit GDPR insurance coverage, according to an analysis by risk management solutions provider Aon Plc and global law firm DLA Piper. Finland is the only EU country specifically allowing such coverage. Germany, Poland, and Sweden don’t have clear rules on the insurability of GDPR enforcement fines, according to the analysis.

However, individual parts of the GDPR, such as data breaches, are eligible for coverage, Prakash Paran, partner and co-chair of DLA Piper’s global insurance sector group, said in a May 22 statement. Data breach insurance policies are “widely available across Europe and may provide valuable cover to organizations,” he said.

That’s a potential GDPR-spurred boon to insurance providers, such as American International Group Inc. and Zurich Insurance Group AG, according to Bloomberg Intelligence Senior EU Insurance Analyst Charles Graham. They stand to gain from companies’ possible rush for cybersecurity insurance to cover data breach clean-ups, consumer notices, and other costs.

Those providers, among others, “will see demand for cyber and data-breach insurance jump,” he said.

AIG’s London office declined to comment on GDPR insurance offerings. Barclays Bank Plc and Lloyd’s of London Ltd, both major providers, didn’t immediately respond to Bloomberg Law’s email request on their GDPR insurance offerings.

Cyber Insurance Can Help

Insurance policies should be used as part of a company’s risk management policies after a data breach and should include coverage for legal fees and litigation, and regulatory investigations.

Companies need to work with insurance providers to “have an appropriate risk transfer solution in place,” Andrew Mahony, regional director for Aon’s financial services and professionals group, said in a May 22 statement.

Some insurance providers may direct their customers to specific levels of cybersecurity and privacy protection, Steve Durbin, managing director of the Information Security Forum in London, told Bloomberg Law.

And although businesses are unlikely to be able to insure against GDPR fines, following an insurer’s reasonable security measures “can help demonstrate reasonable steps were taken,” Durbin said. That provides its own form of insurance, as regulators aren’t likely to slap the worst fines on companies that have take such steps to protect individuals’ privacy and data, he said.

To contact the reporter on this story: Daniel R. Stoller in Washington atdstoller@bloomberglaw.com

To contact the editor responsible for this story: David Mark atdmark@bloomberglaw.com