When it was first announced that the General Data Protection Regulation (‘GDPR’) would introduce fines of up to 20 million Euros, directors across the country paid attention. It is now clear that fines of this level will be reserved for the most flagrant and damaging breaches of the data protection principles. Even so, there is a range of regulatory, reputational and, therefore, commercial consequences for any organisation which fails to meet the higher standards of responsibility created by the GDPR. For this reason, data protection has become a priority within the board room.
Board room responsibility for data protection
Commercial organisations increasingly rely upon the flow of personal data to both establish and expand their business. Compliance with the data protection regime requires the commitment of every function within a corporate organisation. It has long been recognised that data protection breaches are most commonly caused by internal human error rather than external cyber attack. For this reason, the GDPR requires organisations to have both “appropriate technical and organisational measures in place.” This requires implementation and maintenance of secure IT systems, organisation-wide training and robust policies on all aspects of data handling. Further, the GDPR introduces a new principle of accountability which requires organisations to not only comply with the data protection principles but, at any time, to be able to demonstrate this. The role of directors will be to properly understand, prioritise and implement the changes needed to comply with data protection regime, both ahead of GDPR coming into force and as the business changes.
Some organisations will be required to appoint a data protection officer, who has specific responsibilities under the GDPR and will report directly to the board (see: An introduction to Data Protection Officers under the GDPR: Should you appoint one?). However, even if this is not a legal requirement, many organisations are now choosing to allocate responsibility for data protection to one individual with management responsibility for relevant functions across an organisation and who attends board meetings. Within any growing corporate organisation, directors should have some level of IT competence and IT professionals should be at the board table.
Director’s liability for data protection?
Once a data breach has been identified, the organisation may be required to notify both the Information Commissioner’s Office (ICO) and the data subjects themselves within a short period of time (See: The real impact of the GDPR… new notification obligations). Upon learning of a breach of data protection legislation, the ICO has broad investigation powers including service of production orders and the exercise of search warrants.
Under the GDPR, there is a range of criminal offences relating to data protection including unlawfully obtaining, disclosing or selling data (section 55) and various offences relating to the exercise of the ICO’s statutory powers. There are also new offences under the Data Protection Bill including altering or destroying data with the intention of preventing disclosure of information to a data subject. Directors may be liable for the criminal offences of the company where these were committed with their “consent, connivance or neglect.” Whilst prosecutions of directors under the DPA have been rare, directors should be conscious of the possible criminal offences which an organisation may commit and the possibility of the ICO prosecuting individuals.
In exercising its regulatory responsibilities, the ICO has a toolbox of enforcement measures available. Alongside imposing fines, this includes warnings and reprimands, ordering compliance and imposing restrictions on processing data (See: The £17 million Question - What will the ICO’s enforcement powers be under the GDPR, and how will they be used?). However, at present, the company will be at the sharp end of such measures and there are no separate provisions making directors individually liable for non-criminal breaches of the legislation.
However, directors should be mindful that this may change in future. In 2015, the ICO’s enforcement of fines was being frustrated by organisations going into liquidation. For this reason, the Information Commissioner, Elizabeth Denham, recommended to a House of Commons Committee in October 2016 that directors should be both liable and accountable for the data protection failings of their organisations. Although this has not been progressed within the current Data Protection Bill, the future possibility of individual liability to the ICO for breaching the data protection principles should not be discounted.