Underwriters of data protection risks will be aware of the increasing focus upon the protection of the rights of the individual in today’s information society.
Privacy and data protection issues have come under increasing scrutiny in light of the Leveson Inquiry into the hacking scandal, concerns regarding the use of personal data by social media and the transfer of data into the cloud, combined with a number of high profile security breaches and the increasing activities of “hacktivists”. Against this background, the European Commission has published its proposals for the reform of EU data protection law, first heralded some 18 months ago.
The contents of the final regulation, and the likely increase in the activity of national data protection regulators while the draft is going through its approval and ratification process will have implications for the underwriters of data protection risks, both as a liability risk and as a first party cover. In this article we consider some of the changes envisaged by the draft regulation that will both affect the scope of the risk and, as businesses wake up to the increasing burden of regulation and the increased scrutiny of regulators, lead to an increasing demand for this type of insurance.
Mandatory requirement to notify security breaches
The proposed change that received the most publicity when the European Commission first gave notice of its intention to reform the Data Protection Directive concerned the consequences of a data protection breach. At present, in the UK there is no general requirement for a data security breach to be notified to the Information Commissioner. The Information Commissioner’s Office (ICO) has issued guidance on notification, but compliance is a matter of good practice rather than mandatory.
The draft regulation requires the data controller, without undue delay and not later than 24 hours after having become aware of the breach, to notify a breach to the regulator. As a minimum, that notification must:
- describe the nature of the breach, including the categories and number of data subjects concerned and the categories and number of data records concerned;
- communicate the identity and contact details of the data protection officer (see below);
- recommend measures to mitigate the effects of the data breach;
- describe the consequences of the breach;
- describe the measures proposed or taken by the data controller to address the breach.
Where that breach is likely to affect adversely the personal data or privacy of the individuals concerned, the controller will also be obliged to communicate the breach to them without undue delay.
At present, there is no minimum threshold for a data security breach that will trigger the notification requirement. In principle, therefore, every breach is notifiable. Not surprisingly, in its initial comments on the regulation, the ICO has commented that there is a danger that supervising authorities will be swamped with notifications of trivial or inconsequential breaches. The ICO also comments that a 24 hour period for notification is likely to be unrealistic.
It is expected that there will be some amelioration of the terms of the current draft. However, it is plain that many more businesses will become exposed to the significant costs of data breach notification under the new regime.
Broader definition of personal data
In the context of a data security breach, it is also notable that the regulation envisages a broader concept of the term “personal data”. This now includes all data that can identify an individual, whether that data is held by the data controller himself or by a third party when, in combination with the data held by the controller, it could identify the individual concerned. To date in the UK, the data protection legislation has only been concerned with data in the hands of the data controller. In the circumstances, not only does the new regulation introduce a mandatory notification requirement, it also increases the universe of data in respect of which a security breach may occur.
New obligation on data processors
Another significant change to be introduced by the regulation is that data security is no longer the sole responsibility of the data controller. The draft provides that the requirement to provide “appropriate technical and organisational measures” to ensure data security is now an obligation imposed on both data controllers and data processors. Prior to the regulation, the obligation of data processors to comply with security requirements flowed solely from their contract with the data controller. As a consequence, any “data processor only” businesses now fall directly under the data security requirements of the new regime and face a new compliance burden.
Data protection principles strengthened
Some of the original data protection principles set out in the Data Protection Directive have also been made more stringent. For example, the first principle now not only requires that data “must be processed lawfully and fairly” but also “in a transparent manner in relation to the data subject”. Similarly, the third principle, which previously provided that personal data shall be “adequate, relevant and not excessive” in relation to the purpose for which it is processed, must now additionally be “limited to the minimum necessary” for that purpose; further, that data should only be processed if the purpose cannot be fulfilled by processing non-personal data.
The draft regulation also introduces a new principle stating in terms the “responsibility and liability of the controller” to ensure and demonstrate compliance with the regulation.
This tightening up of the underlying data protection principles accordingly provides greater scope for business to fall foul of the regulation.
Right to be forgotten
One new provision that has attracted much comment is that of the data subject’s “right to be forgotten”. This right entitles data subjects to require data controllers to erase personal data relating to them. This would oblige the data controller not only to delete the data from its own system. Where that information has been made public, the controller would also be required to take all reasonable steps to inform third parties of the erasure request and to erase any links to that information.
It can readily be seen that where this right is exercised, it would place a significant burden on data controllers, particularly where data is not held on the controller’s own systems. Consequently, a new category of potential data protection breach has been created.
Data protection officer
Another notable innovation is the requirement for data controllers and processors to appoint a data protection officer (DPO) where the company employs 250 people or more (or is a public authority). The draft addresses the role and responsibility of this new company officer in some detail. A DPO must have “the necessary level of expert knowledge”. He is not to take on any other duties to the company that may result in a conflict of interest with his role as DPO. His appointment shall be for a period of at least two years and he may only be dismissed if he no longer fulfils the conditions required by the regulation.
The tasks of the DPO will include informing the company of its obligations under the regulation, monitoring implementation, training, auditing, and notification of breaches. The company is also required to ensure that the DPO is involved in all issues which relate to the protection of data, that he is provided with adequate staff premises and equipment to carry out his duties, and that he has a direct line of report to the company’s management. Accordingly, the regulation appears to envisage a DPO that is an independent watchdog and supervisor, albeit one employed by the company and yet not within the normal employment framework of that company.
While the obligations of the DPO are extensive, the potential liabilities that may be associated with this role are unclear. At the very least, however, we anticipate a need to add the DPO to any D&O or management liability policy held by the company.
Another feature of the draft regulation that has attracted much attention is the introduction of a range of potentially very significant “administrative sanctions” for non-compliance. At the upper end, a fine of up to 2% of a company’s worldwide turnover may be imposed for a range of breaches of the regulation, including the failure to designate a DPO. National regulators are, therefore, to be endowed with very significant punitive powers that contrast markedly with the maximum fine of £500,000 that may currently be levied by the ICO in the UK. While in the ordinary course one would not expect any insurance to respond to such a fine, the costs of any investigation leading to it, particularly where any criticisms made by the ICO are contested, are likely to be significant.
The new regulation as currently drafted will extend the scope of the current data protection law, introduce new rights for individuals, strengthen the powers of the data protection authorities and introduce new obligations upon data controllers and data processors, not least in the area of data breach notification. In combination this represents a major change to the data protection risk landscape not only for businesses but also for the data protection insurance market.