Insurance for GDPR fines will not be valid in the majority of European jurisdictions, a study by Aon and DLA Piper has found.

The research highlights that GDPR fines will only be insurable in two of countries - Finland and Norway.

Of the 30 European countries surveyed by the broking house and law firm, only a third would generally be regarded insurable for GDPR fines – with these countries including the UK, France, Italy and Spain.

The study has been released ahead of GDPR coming into force next week – which will see non-compliant companies fined up to EUR20mn ($23.7mn) or up to 4 percent of its annual global turnover, whichever is higher.

The study found that in eight European jurisdictions it is unclear whether GDPR fines would be insurable.

In these countries, there must be no deliberate wrongdoing or gross negligence on the part of the insured.

The research highlights that criminal penalties are almost never insurable and individual European member states can impose their own penalties for personal data violations.

Vanessa Leemans, chief commercial officer at Aon’s cyber solutions unit in EMEA said GDPR will expose companies to significantly higher risks related to how they manage and store personal data.

“Data breaches, and other cyber events, could see businesses face both major fines and extensive costs,” Leemans said.

“It is therefore essential that organisations fully understand where their exposures lie, they should work closely with their insurance partners to ensure they have an appropriate risk transfer solution and incident response plan in place,” She added.

“While there are only a few jurisdictions where GDPR fines are insurable, insurance against legal costs and liabilities following a data breach is widely available across Europe and may provide valuable cover to organisations,” Prakash Paran, partner and co-chair for the global insurance sector at DLA Piper said.

“However, corporate groups still need to consider reputational damage and impact on existing customers, the wider market, and their relationships with regulators, all of which may go beyond quantifiable financial losses,” Paran went on.