The General Data Protection Regulation and the issue of personal liability

12. April 2018 | Drooms Global

For organisations preventing and at worst containing a data breach is essential in the digital world. In cases where confidential information is leaked or disclosed illegally, liability becomes a major concern. Identifying the reason for the incident is not only vital to rectify the issue but also to ensure preventative steps are taken to stop it from happening again.

What does the GDPR say about data breaches?

The new law determines a personal data breach as an event in which a breach of security leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. It’s important to note that breaches include both accidental and deliberate causes. Example cases include:

  • The sending of personal data to an incorrect recipient
  • The processor or controller’s deliberate or unintentional actions
  • The loss of access to personal data

Most organisations will handle personal data to some extent. The way they process, store and manage this data determines whether the regulations define them as controllers or processors.

Data controllers are natural or legal persons, public authorities, agencies, or other bodies determining the purposes as well as means of processing the personal data. Data processors are a natural person or legal entities, public authorities, agencies or other bodies processing personal data on behalf of the controller.

In the event of a data breach, both controllers and processors need to immediately determine the extent of the damage and take appropriate action. If there is a likelihood of the breach risking people’s rights and freedoms, the breach must be reported to the relevant supervising authority, within 72 hours. Furthermore, depending on the nature of the issue, the organisation must also inform the individuals whose rights and freedoms have been jeopardised.

The law will impose quite harsh penalties in the event of non-compliance and data breaches resulting in a potential fine of up to €20 million or 4% of annual worldwide turnover whichever is higher.

What are processors and controllers liable for?

Under the General Data Protection Regulation, controllers are the primary party responsible for compliance. However, processors also have a host of obligations and they are now directly liable towards data subjects in the event of non-compliance. In the event of cases with multiple controllers or processors, each controller or processor will be responsible for the entirety of the damage, if the damage can be shown to have been a result of the controller or processor’s failure to comply with the obligations it had. In that sense, the new regulations provide a cumulative liability regime.

Studied more closely, controller liability remains similar to that outlined in the prior regulation, Directive 95/46. The GDPR states that, “any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation”.

When damages occur because of an unlawful processing of personal data, then the controller will be liable. Liability will only cease to be relevant if the controller can prove that it wasn’t responsible for the event, i.e. a data breach. The controller has to be able to demonstrate it complies with the basic principles of data protection and other provisions.

While the terms remain similar for controllers, processors have increased liability under the GDPR. According to the changes, processors will have numerous obligations. Furthermore, processors will also need to comply with requirements imposed by way of contract, not just those they must automatically fulfil.

The proportional liability also requires the demonstration of negligence and non-compliance. For the processor to be held liable, it must be shown that it failed to comply with its obligations, that this resulted in real damages, and that there is a causal relationship between the non-compliance taking place and any damage.

In terms of demonstrating compliance, controllers’ responsibilities are much bigger. According to the GDPR rules, controllers must be able to demonstrate at any point that they are complying with the obligations. On the other hand there is no obligation for processors to demonstrate such compliance.

What about Data Protection Officers?

Under the regulation, organisations that need an appointed DPO are those that:

  • Are a public authority (excluding courts)
  • Carry out large-scale and systematic monitoring of individuals, or
  • Deal with the large-scale processing of special categories of data or data relating to criminal convictions and offenses

When a DPO is appointed they will have:

  • The right to require the organisation to provide necessary resources to protect the data
  • The power to access the data processing personnel and operations
  • The right to express protection against dismissal or penalty when carrying out their duties

In terms of liability, it’s important to note that the GDPR doesn’t provide any specific liability for a DPO. The controller or the processor will remain responsible to ensure compliance and the burden to demonstrate this compliance is also on those two parties. This means the person is not personally responsible for non-compliance problems.

However, the DPO will, of course, have liability for their activities, including criminal rules – generally set by the domestic laws of the relevant member states. Therefore, if there is clear criminal intent, liability is also on the DPO. This doesn’t necessarily remove the liability off the processor or controller.

What happens to personal liability?

The impact of the GDPR is not fully known yet and it will take some time to iron out uncertainties. However, it is clear from the regulation and certain rulings that the liability falls on the organisation to comply. The international law firm, Norton Rose Fulbright, writes in their blog, “(t)he responsibility for compliance with the GDPR will, in practice, fall on the organisation’s directors”.

There is recent evidence of the organisation’s liability even when a single employee is behind a data breach even though the GDPR is not yet enforced. While the case took place in the UK and it was presented under the Data Protection Act 1998, the principles of the case provide lessons for the future – not least due to the Data Protection Principles being repeated in the GDPR. Law firm Gilson Gray has presented the case, involving various Morrison Supermarket employees and the organisation itself, on its website. In short, the courts found the British supermarket chain liable for non-compliance with data protection laws, even though it was a disgruntled employee who leaked personal data online. The law firm writes, “the court indicated that the mere fact there was a release of personal data must mean that Morrisons should be responsible,” despite taking some steps to minimise access to this data. Furthermore, the courts found the employer to be liable, as it trusted the employee with access and therefore, by doing so, became liable even if the employee chose to abuse access.

What should organisations do to prepare for the GDPR?

The above makes it clear organisations must take data protection seriously. Compliance issues should be a key concern for organisations because of the wider liability implications. It’s not just about protecting the company directly from external threats but also ensuring it limits the risk of potential internal breaches. Organisations not only have much wider liability but also a deeper duty to demonstrate their compliance.

What organisations need now is to focus on updating their data security protocols, data protection policies, and privacy statements. Furthermore, staff training is a crucial part of data protection and management, as is looking closely at who has access to the data in the first place, how and when. Organisations must go through a proper risk assessment and testing phase in that regard.

Drooms, as a European service provider and strong advocate of data security and protection is already compliant with the General Data Protection Regulation and takes it role as a processor extremely seriously.

Data protection can benefit organisations

Although the GDPR has been seen by some as a mechanism in order to penalise businesses, improved and enhanced data protection can benefit organisations. The public should be able to trust the organisation it uses and those who focus on getting it right will enjoy a higher level of confidence. The efforts will also improve security and better protect businesses from criminal activity.