Beazley's Raf Sanchez on why GDPR will bring an increase of “non-material” damages claims

Concept image representing data protection rules

  • The UK’s Information Commissioner Elizabeth Denham has warned hefty fines will be levied on organisations that flout GDPR
  • Firms are likely to see huge claims from privacy activists, claims companies and plaintiff lawyers
  • Cyber insurance must sit alongside a data privacy compliance programme

Organisations are likely to be faced with data privacy claims, predicts Raf Sanchez, international breach manager at Beazley, warning cyber cover is only part of the solution.

A light has been shone on the hidden world of data sharing, which has been going on under the radar for years, following the recent social media data privacy revelations. At the same time as this previously hidden, or poorly understood, world is out in the open, regulators and individuals are on the cusp of acquiring the tools to do something about it.

On 25 May, the implementation of the General Data Protection Regulation heralds a new era for data protection across the European Union. It not only creates a new direction of travel for data privacy but also allows regulators, and even individuals, significant new powers to enforce their rights.

Elizabeth Denham, the UK’s Information Commissioner, recently said: “Under the GDPR I will have the power to audit all those who hold, use and share personal data. In other words, soon I will be able to look behind the curtain and see what those who hold our data and personal information are doing with it.”

She warned: “Hefty fines can and will be levied on those organisations that persistently, deliberately or negligently flout the law.”

GDPR compliance challenges are sizeable. Despite a four-year lead time, Deloitte’s GDPR benchmarking survey found that only 15% of firms surveyed expect to be fully GDPR-compliant by implementation day. With over 320 data protection officer vacancies currently advertised on Linked In for the UK alone, it’s clear that many organisations are some way from full GDPR compliance.

Most of the provisions in the GDPR are intended to harmonise the implementation of data privacy rights across the EU, but the GDPR also includes enhanced rights for individuals and regulators that will be completely new to many organisations.

For example, the right ‘to be forgotten’ and enhanced rights around automated decision-making and profiling will be extremely challenging concepts for many organisations, especially those at the leading edge of utilising and monetising their data or who have invested heavily in data analytics and profiling.

Also of crucial importance will be the right for private individuals to bring claims directly against organisations for “non-material” damages. Combine that with the concept of the collective enforcement of individuals’ rights and the likelihood is that organisations will soon see huge claims from privacy activists, claims companies and plaintiff lawyers.

Take the example of Max Schrems, the Austrian lawyer turned privacy activist who is now focused on the GDPR. In an interview with the Financial Times, he revealed how he has founded “None Of Your Business”, a non-governmental organisation that aims to ensure the GDPR is enforced. NOYB is well staffed with experts with ambitious fundraising targets, which could well be the shape of things to come.

So, how can we help our clients to mitigate these risks? Cyber insurance is part of the solution, but it must sit alongside a robust data privacy compliance programme, internal risk management planning, software tools and board-level involvement. All will play an important role in trying to plug the immediate compliance gap. However, how personal data is used and protected in an increasingly connected world is a huge challenge both for the organisations holding the data and for the individuals to whom the data relates.

We can’t change the direction of travel as it’s clear where data privacy regulation is going, but we should be setting our sails accordingly to ensure that the risks are addressed.

  • LinkedIn  
  • Save this article
  • Print this page  

You need to sign in to use this feature. If you don’t have an Insurance Post account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an indvidual account here: