The General Data Protection Regulation (GDPR) will come into force on 25 May 2018 and introduce the possibility for substantially increased fines to be issued for data protection breaches compared to those which can be imposed currently.
Service providers that process personal data on behalf of other organisations, data processors, will face new obligations and may be on the hook for substantial fines where failings are identified.
The toughened approach to data protection fines envisaged under the GDPR is something that data controllers and data processors need to consider carefully when putting in place data processing contracts. Insurers must also recognise the impact that the changes could have on the risk profile of businesses they provide cover to.
Fines under the GDPR
Under current data protection rules data processors cannot be fined by the Information Commissioner's Office (ICO) for a breach of data security. It is the data controller that is subject to any fine. Where data processors have contravened data protection legislation then the data controller may seek to recover some or the entirety of that fine, together with any other associated costs, from the data processor under the relevant contract.
However, once the GDPR comes into force on 25 May 2018, data processors may be fined directly by the ICO. This is significant for two reasons – because data processors, even smaller entities, must engage with the requirements of the GDPR; and because the potential fines that businesses may face are increasing substantially.
A two-tiered sanctions regime will apply. Contraventions of certain provisions by businesses, which law makers have deemed to be most important for data protection, could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater, being levied by data watchdogs. For other breaches, the authorities could impose fines on companies of up to €10m or 2% of global annual turnover for the preceding financial year, whichever is greater.
The relevant provisions on data security are contained under Articles 5 and 32 of the Regulation.
Article 5 sets out basic rules on personal data processing which only apply to data controllers, considered to be fundamental to data protection. One of those rules requires data controllers to ensure that personal data is "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures".
Where data controllers contravene that Article 5 requirement they could be served with the highest possible fine that data protection authorities will be able to issue under the reformed framework.
In contrast, if data processors breach their statutory data security obligations, set out under Article 32, which requires them to "implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk" of their personal data processing, then the most they could be fined is the greater of up to €10m or 2% of global annual turnover for the preceding financial year, whichever is greater.
Data controllers are also subject to the Article 32 obligations. It therefore appears open to national data protection authorities to fine data controllers for any data security failings under Article 5 or Article 32. Their choice in those circumstances would impact on the severity of the fines they could issue.
The fines that could be imposed under the GDPR could be significantly higher than the maximum penalty that can currently be applied by data protection authorities. In the UK, for example, the ICO has the power to issue fines of up to £500,000 to businesses for serious breaches of the Data Protection Act.
The largest fine the ICO has imposed for a breach of the Data Protection Act to-date is the £400,000 penalty it issued to TalkTalk, which followed a high-profile cyber attack and data breach.
According to the company's latest annual report, TalkTalk's revenues for the year totalled approximately £1.8 billion. A potential fine of up to approximately £72 million could therefore have been imposed on TalkTalk over the data breach it experienced had the GDPR applied at the time of the incident.
Impact of fines on the supply chain and insurers
The TalkTalk example is a sobering reminder of the step-change in the severity of penalties that could be imposed for breaches of EU data protection laws after the GDPR comes into force.
The changes represent a matter of considerable risk management for both data controllers and any data processors in their supply chains. Insurers should also be paying close attention to this, as the risk profile that smaller insured processors in a contractual chain could present may be fundamentally altered by the change.
Awareness of data protection has been growing in recent years, with more and more data breaches hitting the headlines and organisations battling to manage the impact such incidents have on their reputation and, ultimately, their bottom line.
We can expect that rate of awareness to increase as we approach the 25 May 2018 deadline when the GDPR comes into force. However, the 'big bang' will probably come shortly after GDPR takes effect and once the first substantial fines are levied. Data processors and others that fail to pay attention to the reforms will be in for a rude awakening.
To mitigate the risks of major fines within the supply chain, businesses should pay close attention to the liability arrangement within the relevant contractual frameworks; and ensure that appropriate technical security measures are put in place by each processor in the contractual chain.
There’s a real risk point here for insurers: SMEs or low level processors that previously may have been considered lower risk could now be viewed in a whole new light.
As data has developed to be almost a currency in its own right, protection of that data has taken on an equally considerable value and the GDPR marks a huge increase in the potential risks that will come with processing that data.
It is remarkable how many SME businesses, including those that have insurance cover, even today have little to no appreciation of data protection considerations or security measures. Following the GDPR, a failure by a data processor to "implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk" could result in a fine of millions of euros. It is incumbent on insurers to reassess the risk they underwrite as a result, particularly where those fines may inadvertently be covered by existing policies.
Philip Kemp is a specialist in cyber risk and regulation at Pinsent Masons, the law firm behind Out-Law.com.