Out-Law Analysis 4 min. read
21 May 2018, 12:33 pm
The GDPR, which will apply from 25 May, heralds a power shift away from companies, whether data controllers or data processors, towards data subjects – ordinary people, clients and customers.
Much has been talked about the need for senior management 'buy in' to the many GDPR compliance projects ongoing in businesses. Less has been spoken about the consequences that will unfold before the courts for the organisations that are not in compliance.
If a customer or employee believes that their personal data rights have been infringed by a company, whether as a controller or processor, then they can go to court to seek various orders and, importantly, they can sue for compensation. Others affected by the fallout will potentially also have a cause of action, for example a spouse whose partner became ill from the stress or a journalistic source that gets exposed in a data breach.
So whilst GDPR introduces the potential for much greater regulatory fines, those are not likely to be the fallout that puts a fault-line in a company's finances. Instead, the new 'data protection actions' that ordinary people can bring will do that.
Once proceedings are issued it won't be long before a forensics team hired by the opposing lawyers will be pouring over the internal corporate workings. Any idea of 'quick fixing' compliance will not work. Efforts to do that will be seen for what they are and will likely just increase the damages to be paid.
Data protection actions will be treated legally like other 'torts' – acts of infringement that incur legal liability. This is important as it is likely that the other side will be entitled to relevant and necessary document discovery – so how your company complies with GDPR will be on public show in the courts, and therefore potentially in the media.
It is going to become clear pretty soon which companies have competence in dealing with personal data and which ones cannot be trusted. The new enforcement regime will sweep all this information into the public domain.
When corporate governance is functioning properly it ensures that companies have the systems and controls in place to manage the flow of information so that they can make the right decision at the right time. An effective system of corporate governance requires: leadership; independence; competence, and; challenge. Of these, competence is 'king' and an understanding of the new GDPR enforcement regime is therefore vital for a board and senior management to ensure effective compliance within their organisation.
There are many potential infringements of GDPR that could give rise to a data protection action, including data breaches. The regulatory fines for data breaches are at the lower threshold, reflecting the fact that breaches do and will happen.
However, there will be mandatory notification to data subjects where there has been a data breach that poses a high risk "to their rights and freedoms". You have to assess that risk objectively and make a detailed written record of how you went about it. Mandatory reporting is a game changer because once the individuals concerned are informed about the data breach it can lead to them – and others damaged by the breach – issuing data protection actions. In Ireland, you will also have to inform the Office of the Data Protection Commissioner (ODPC) if the breach poses a risk – not necessarily a high risk – and do so within 72 hours, so it will all happen in a whirlwind.
Data breaches are typically categorised into three types.
A confidentiality breach is where there is an unauthorised or accidental disclosure of, or access to, personal data. An example would be emailing personal data to the wrong group of individuals, or giving access to third parties without a legal basis for doing so.
An availability breach is where there is unauthorised access to, or destruction of, personal data. An example would be an infection of ransomware, or misapplying a data retention policy and erroneously deleting information.
An integrity breach is where there is an unauthorised or accidental alteration of personal data. An example would be changing someone's health records accidentally or without authority.
There could be a cause of action against an organisation on foot of any of these.
GDPR provides that "any person who has suffered a material or non-material damage as a result of an infringement… shall have the right to receive compensation from the controller or processor for the damage suffered". There is a lot in those three lines.
Firstly the term "non material damage" covers non-financial damage, such as personal distress. Secondly, the right to compensation extends to "any person" – arguably both to a natural person and to a corporate entity.
Thirdly, the right to receive compensation is from the data controller or processor and so joint liability and several liability applies. That is why contracts between data controllers and processors are vitally important in addressing the issue of risk apportionment and indemnification in these scenarios, particularly if you are contracting with a party outside the EU.
So what can you do to hedge these new risks arising under GDPR? Here are four steps that I recommend you take.
Corporate reputations can be easily lost and are extremely hard to restore.
Ann Henry CIPP/E is a Dublin-based expert in commercial litigation at Pinsent Masons, the law firm behind Out-Law.com, specialising in TMT and intellectual property. She is a Fellow of the International Compliance Association. A version of this article was first published by Sunday Business Post on 20 May 2018.