Mitigating GDPR Exposures for Directors and Officers

The first round of fines, admonishments, and even potential bans linked to the EU General Data Protection Regulation (GDPR) are expected by the end of the year, according to a high-ranking EU official. This puts pressure on organizations to make sure they are compliant with the regulation, which has wide-reaching provisions revolutionizing the data protection landscape across the world.

More than 42,000 complaints have already been filed since the regulation came into effect on May 25, 2018. The GDPR — together with other new privacy regulations such as the California Consumer Privacy Act of 2018, which will take effect in 2020 — increases the potential exposure for both companies and their directors and officers. In fact, a number of lawsuits and regulatory investigations and actions have already been initiated against directors and officers.

Understanding Policy Limitations

The potential increase in privacy-related losses makes directors and officers (D&O) liability insurance an even more essential tool in managing privacy risks, including those associated with potential GDPR exposures. As business leaders strive to understand any potential limitations that might impact coverage, they need to carry out a thorough review of their organizations’ D&O policies while keeping in mind the GDPR. Among other items, organizations should consider the following when reviewing D&O policy wording:

• Is your company’s data protection officer, or other GDPR-related privacy officer, a true “officer” of the company and thus qualifies as a covered insured?
• Are there relevant exclusions in your policy, such as regarding cyber and/or privacy?
• Are your limits sufficient to cover potential GDPR and privacy-related fines and penalties along with other costs?  
• Do you know how an insurer or regulatory authority might respond to the insurability of GDPR fines and penalties?
• What is the reputation for paying claims of the insurers on your D&O program? 

The final three points should also be reviewed in light of your cyber policy, if any. Among the questions when reviewing your cyber policy, you should consider:

• Does the insuring agreements section — namely the scope of privacy regulatory or regulatory action costs — contain language that allows for broad coverage for GDPR fines and penalties, where insurable?
• Is your policy’s definition of privacy law broad enough to include the GDPR if specific GDPR wording is not present?
• Is the definition of personal data and/or confidential information as broad as the GDPR’s definition of personal data in Article 4.1?
• Is there a sufficient coverage trigger for GDPR fines and penalties under the definitions of privacy event and/or cyber incident or event?
• Are there pertinent exclusions?

As privacy regulations evolve, the potential exposure to companies and their directors and officers is likely to increase. It is important to understand new requirements under these laws and how they could affect your risk profiles, and to work with your insurance advisors to regularly review D&O and cyber coverages to keep pace with the changes.