This is a modified concept. While there are legal consequences to data breaches under the Data Protection Directive, one of the GDPR’s headline changes is supervisory authorities’ new ability to measure fines against annual global turnover.
How does this concept differ from the current position?
Under the Data Protection Directive the ICO (the UK’s supervisory authority) may impose fines of up to £500,000, depending on the severity of the breach, and on data controllers only. Data controllers are held accountable for data breaches experienced by their data processor suppliers, although the data processor could be liable to the data controller under the terms of contract between them.
Under the GDPR, supervisory authorities will be able to impose fines of the higher of:
- €20 million or 4% of annual global turnover for breaches of, for example, the principles of processing and data subjects' rights
- €10 million or 2% of annual global turnover for breaches of obligations including maintaining written records, implementing technical and organisational measures and in relation to the appointment of Data Protection Officers.
The GDPR includes a list of factors which will need to be taken into account when determining whether to impose an administrative fine and the amount to be imposed. The factors to be considered are by reference to each individual case and will take account of (amongst other things) the nature, gravity and duration of the infringement, any mitigating actions taken and whether there is any history of previous infringements.
Member states will have discretion to designate breaches of specific aspects of the GDPR as criminal offences.
The GDPR will also introduce an updated right for data subjects to claim compensation for financial loss and non-financial damage suffered as a result of breaches. Under the current Data Protection Directive, liability for compensation is limited to the data controller. This changes under the GDPR and both data controllers and data processors will be liable for compensation as well as being exposed to supervisory authorities’ fines – being fined will not shield organisations from compensation claims, and vice versa.
Data controllers pursued for damages will be able to claim back all or some of the money they pay out from their data processor if the data processor was responsible for the breach. Similarly, data processors will be able to claim back from data controllers or other data processors whose fault caused or contributed to the damage.
What will the impact be on your business?
The increase in financial sanctions under the GDPR has, in part, been responsible for the considerable amount of attention given to the incoming regulation. These increases, together with mandatory breach notification requirements, mean that the overall risk profile of non-compliance must be reviewed and updated as part of organisations’ preparation for the GDPR.
Under the GDPR, organisations are likely to find that the reputational risk of data breaches is higher. Previously organisations were, to an extent, able to choose whether and when to disclose that a data breach had occurred and manage publicity accordingly. Under the GDPR’s mandatory breach notification regime, however, breach information will by default be in the public domain and the resulting knock-on damage to organisations' reputations could well be severe.
As has always been the case with data breaches, in addition to any regulatory fines, organisations will need to consider the short and longer-term operational and management costs associated with responding to, and resolving, the breach.
What actions should you take to prepare?
- Review and update risk registers.
- Put in place a formalised incident management strategy for managing actual or suspected breaches and have a well thought-out communication plan in order to reduce any long-term impact.
- Consider standard negotiating positions for allocating data breach risk in contracts. Organisations should also carry out a review of existing arrangements with third parties (e.g. customers and suppliers) to assess liability exposure for data protection breaches.
- Conduct a review of insurance arrangements to ensure there is sufficient coverage.