What do I need to know?
- The GDPR will introduce significantly increased monetary penalties of up to 4% of worldwide annual turnover.
- Such sanctions can be brought against businesses acting as either data controller or data processor.
- Individuals will continue to have the right to bring claims directly against business for breach of data protection law, but they will be able to pursue damages from either the controller or the processor.
- Businesses based outside the EEA could also face sanctions and be subject to individual claims.
What do I need to do?
- While the GDPR will not be implemented for at least two years (current expectation is by mid 2018), some businesses may need to make substantial changes to their current practices, protocols and general culture in relation to privacy. Such sweeping changes will need time to implement.
- As a first step, businesses should familiarise themselves with the GDPR and the obligations that apply to them, prioritising areas that represent the greatest risk.
- Key issues to consider include what position to take with regard to liability and relevant contract terms with controllers or processors; understanding the risks and opportunities this involves, and considering insurance cover as appropriate.
What is the current position?
The Directive provides that each Member State must have in place a Supervisory Authority, responsible in their jurisdiction for monitoring and enforcing compliance with the Directive’s provisions. Supervisory Authorities are empowered to conduct investigations, engage in legal proceedings and intervene in the processing of personal data. The Directive also requires that Member States adopt “suitable measures” to ensure the full implementation of the Directive. Member States have implemented such measures in different ways. Many have opted for fines that are imposed by the relevant Supervisory Authority.
In the UK, the Directive is implemented by the DPA and the relevant Supervisory Authority is the ICO. The DPA grants the ICO the powers noted above, including the ability to issue monetary penalties (civil fines) of up to £500,000. Such sanctions can be enforced in relation to certain serious breaches of the DPA by the relevant data controller. The severity of a penalty will be dependent on a number of factors, including the seriousness of the breach and whether (and how much) damage and/or distress has been caused to affected individual(s).
As a reminder, “data controllers” determine the manner in which and purposes for which personal data about e.g. staff and customers is processed. “Data processors” do not; they process personal data on behalf of the “data controllers” which have appointed them. Accordingly, if an organisation is acting as a data processor, the Directive and DPA do not apply directly to it, instead its obligations are by way of contract between itself and the data controller for whom it processes the personal data and its risks are contractual rather than statutory.
Under the Directive and now under the DPA, individual data subjects can bring claims against data controllers that have processed their personal data in contravention of the DPA, where they have suffered damage or distress. The individual does not need to show any financial loss. This approach is subject to appeal by the Supreme Court. A businesses may be exempt from such liability (in whole or in part) if it can prove that it is not responsible for the event giving rise to the damage or distress.
What will remain the same?
Under the GDPR, Supervisory Authorities will still be national bodies responsible for monitoring and enforcing compliance with data protection law in their member state.
Data controllers will still be subject to sanctions and/or enforcement action by Supervisory Authorities for any breach by them of the GDPR. The GDPR will not limit or reduce the liability businesses currently have under the Directive but will instead, provide Supervisory Authorities with greater enforcement powers to incentivise compliance by significantly increasing the level of sanctions at their disposal.
Data controllers will also continue to be liable to individuals for infringement of their data protection rights.
What is changing?
While the general data protection concepts are largely unchanged, the extent of such Supervisory Authority powers will be changed significantly. Those changes that will likely most concern your business are as follows:
Monetary penalties: standardised and significantly increased
The GDPR provides new and increased caps on the level of fines that Supervisory Authorities are permitted to impose against both data controllers and now also data processors that have breached relevant provisions of the GDPA. This will be the first time that the ability to impose fines, and up to the same amount, has been harmonised across Europe. In many jurisdictions this will represent a significant increase from the fines currently available.
Depending on the breach, such maximum fines can be up to 2% or 4% of an ‘undertaking’s’ total worldwide annual turnover in the previous year. The GDPR sets out details on types of breaches for which the higher and lower caps will be available, the higher cap naturally being reserved for more serious areas of concern such as breaches in respect of lawful processing of personal data, consent, data subject rights, transfers outside the EEA and compliance with enforcement orders by the Supervisory Authority or the Court. It is unclear at this stage whether the worldwide turnover relates solely to the relevant controller/processor or to its group. In any case, such fines have the potential to be truly substantial.
Data processors are directly liable
For the first time the GDPR places specific obligations on data processors. As a result Supervisory Authorities will be able to take enforcement action and issue fines (as described above), where a processor does not abide by these new statutory obligations. For more information on data processor obligations under the GDPR, please see our GDPR and data processors briefing – coming soon!
Extended territorial reach
The GDPR significantly extends the territorial reach of EU data protection law, for example organisations neither “established” in the EEA nor situating equipment there may now be caught if they monitor EU subjects, or target their offering of goods or services towards them. Processing that is caught by this extension will entitle supervisory authorities in the relevant jurisdictions to take enforcement action and issue fines as described above. For more information on the obligations imposed on non-EU entities under the GDPR, please see our Territorial Scope and Application briefing.
Data processors can be held liable for breach of the GDPR directly, where its provisions are applicable to them or they have acted contrary to the controller’s instructions. Data controllers and processors can each be held liable individually or jointly for the entire damage caused and the individual may have the option of choosing the ‘deeper pocket’. Both controllers and processors may be exempt from liability if they can prove that they were in no way responsible for the processing that caused the breach (which, it should be noted, can be a breach that results in either ‘material or immaterial’ damage). There is also a recovery mechanism built into the GDPR to facilitate recover by an “innocent” party from the party responsible for the breach that triggered the claim.
How will your business be affected?
If your business is based in the EEA and is acting as a data controller, then it will already have obligations under the Directive and relevant local laws, and be liable to individual claims. The implementation of the GDPR potentially greatly increases those risks, however, by:
- hugely increasing the potential fines that could be incurred across Europe, by tying them to worldwide turnover;
- extending the scope for individuals to make claims, as such claims may clearly be brought for ‘immaterial damage’ suffered; and
- apparently allowing individuals to pursue the ‘deeper pockets’ in a situation where both processor and controller are responsible for infringing action.
If your business is either a data processor based in the EEA or is a controller or processor based outside the EEA, it currently has no obligations under the Directive (nor under many local EU data protection laws, including the DPA). However, following implementation of the GDPR, such businesses will have a whole host of privacy obligations that they must be aware of and comply with, or face the very real possibility of the sanctions or claims described above.
Therefore, service providers of all fields and sectors (e.g. systems management providers, fund administrators and payroll hosting services, to name but a few), who currently are protected from the majority of statutory risk by virtue of simply being a data processor or being established outside the EEA, will need to ensure their practices (for all of their hundreds or thousands of clients) are compliant with the relevant GDPR obligations. A monumental task for some.
The knock on effects of the above will likely be that controllers and processors each take firmer stances and take more time negotiating their contracts with each other, particularly in relation to liability. For example, each may seek indemnity coverage from the other in relation to claims or fines received by them pursuant to the actions or omissions of the other.
It is worth remembering that the GDPR will not be implemented for at least two years (current expectation is spring 2018 onwards). Some businesses, however, particularly those that have not previously been subject European law (such as processors or businesses outside the EEA) may need to make substantial changes to their current practices, protocols and general culture in relation to privacy. This is no small matter and may take a long time to implement.
We suggest that, as a first step, businesses familiarise themselves with the GDPR and those obligations that apply to them. Eversheds are issuing a full suite of articles similar to this one, which summarise the key changes and offer practical guidance for compliance. We will also be hosting a series of training sessions and webinars in the coming months. After identifying those areas that represent the greatest risk to your business, you should then take appropriate systematic steps to minimise or eradicate those risks over the next two years. However, at the same time, you should be conscious of your existing obligations under current law – and continue to comply with them.
It may also be sensible for businesses to decide upon the position they intend to take with regard to liability and general terms in contracts with controllers/processors, understanding the risks and opportunities in such process. Additionally, you may wish to consider obtaining insurance cover for such risks, as applicable.