Step 11 – Liability
“You are my Everest” – Scaling the heights of GDPR compliance and navigating GDPR fines
One of the first headline-grabbing pieces of news about the GDPR was the new level of fines that a Supervisory Authority could levy in respect to breach of privacy laws – the equivalent of scaling the great peaks of Mount Everest as compared to Mount Snowdon in Wales, if you will…
Heavy GDPR Fines
The GDPR is intended to introduce a more robust privacy framework, but there would be little point in that framework unless it had the requisite “bite”. Under current laws, the most a privacy regulator can fine an entity is around €1,000,000, and in the UK this figure is considerably lower at £500,000.
However, under the GDPR fines are set at:
- €20,000,000 or 4% of annual global turnover, whichever is higher; or
- €10,000,000 or 2% of annual global turnover, whichever is higher.
This is dependent on the category of breach to which the fine relates.
Liability of Data Processors and Controllers
The other stand-out piece of news from the GDPR was that a data processor will no longer be shielded behind the data controller when it comes to wrongdoing, and could be directly fined for its own breach or where its actions contributed to a data breach – only where a data processor can prove it is not “in any way responsible for the event giving rise to the damage” can it entirely escape potential liability.
Under GDPR, Article 28 places many more direct obligations onto the data processor, including:
- Use of appropriate technical and security measures;
- Using sub-processors only where approved by the data controller;
- Co-operating directly with Supervisory Authorities;
- Keeping data processing records;
- Notifying data controllers of any data breach;
- Appointing a Data Protection Officer (DPO);
- Appointing a representative in the EU.
The data processor is now subject to the investigative and corrective powers of a Supervisory Authority under Article 58 of the GDPR, and may also be subject to administrative fines or other penalties under Articles 83 and 84.
Also, under Article 82, a data processor can also be held liable to pay compensation for the damage caused by processing where:
- It has failed to comply with GDPR provisions specifically relating to processors; or
- It has acted without the lawful instructions of the controller, or against those instructions.
On top of this, a data subject may under certain circumstances initiate a private claim directly against a data processor for breach.
The data controller is ultimately accountable under the GDPR, and if the data controller does not exercise sufficient control over its data processor, does not have in place an adequate contract, or does not monitor the data processor, then it could still find itself subject to a portion of any fine levied. As such, the controller and processor are, as we say, “in this together” under the GDPR.
So what can they do together to help ensure compliance and protect themselves from risk? As we have discussed previously, “privacy by design” is at the heart of the GDPR; and, therefore, if a data controller wants to better manage its risk, it should take measures to help ensure that its and its processors’ programs are in fact designed with privacy in mind. This would speak to data controllers:
- Performing appropriate due diligence on its data processors pre-appointment; and
- Post appointment:
- Continuing to monitor processor compliance via audits
- Entering into DPAs.
With both subject to potential liability under the GDPR, data controllers and data processors should be working together to demonstrate compliance, starting with ensuring that privacy is at the core of their processes and procedures.