When the General Data Protection Regulation comes into effect on 25 May this year it will impact many businesses. If you are one of them, then your plans to ensure compliance should already be well advanced. However, with many GDPR experts acknowledging that few businesses will be 100 per cent compliant on day one, thought also needs to be given to the steps that can be taken to limit the financial and reputational damage caused where a breach of the regulation occurs.
In this article, David Hacker, commercial dispute resolution expert with Thackray Williams, explains the potential implications of a GDPR infringement and considers what you can do to control the risk and contain the damage.
Implications of a breach
Where a breach of the GDPR occurs, there are several potential implications, including;
- the possibility of a fine being imposed by the Information Commissioner’s Office;
- compensation being sought by affected data subjects; and
- reputational damage arising from adverse publicity.
The amount of fine that may be levied will rise from the current maximum of £500,000, to a maximum of either:
- €10 million or two per cent of annual worldwide turner; or
- €20 million or four per cent of annual worldwide turnover
depending on the type of breach and the surrounding circumstances.
Data subjects affected by a breach will have enhanced rights to claim compensation, not just for any financial losses they have suffered but also for non-financial harm, such as personal distress or embarrassment.
Unlike the existing data protection regime, liability to pay compensation and to be fined is not limited to data controllers – data processors, such as subcontractors handling data for payroll or marketing purposes, can also be held to account.
Reputational damage is also a very real possibility given the obligation under the GDPR to self-report breaches to the Information Commissioner’s Office without undue delay and, where feasible, within 72 hours of becoming aware of them. Where the breach poses a high risk to the rights and freedoms of data subjects, there is also now an obligation to report details of the breach to affected individuals as well. Details of breaches therefore have the potential to come into the public domain very quickly.
Limiting the impact
To ensure that the fallout from a breach of the GDPR is contained, you need to have processes and procedures in place which enable breaches to be:
- quickly identified;
- promptly reported;
- thoroughly investigated;
- swiftly remedied; and
- carefully managed from a public relations point of view.
As far fines are concerned, the GDPR sets out a list of factors that will be taken into account when determining the level of any fine. These include the nature, gravity and duration of the breach, whether it occurred because of an intentional act or negligence, steps taken to mitigate any damage, the extent of cooperation with the Information Commissioner’s Office and whether there have been any prior incidents of infringement.
Managing the litigation risk
Prevention is better than cure, so the best way to manage the litigation risk is to ensure that your processes and procedures are geared towards meeting the requirements of the GDPR and to identifying, and appropriately handling, those occasions where things go wrong. This includes ensuring those accountable for GDPR compliance within your business are clearly identified, all staff and contractors are suitably trained, contact details for employees, suppliers, subcontractors and customers are up to date, your security systems are sufficiently robust, and the procedures you have in place to deal with potential problems are clear and consistently followed.
If it looks likely that a breach could lead to a fine, you should speak to a solicitor to ensure that you have taken all necessary steps to keep the fine as low as possible.
Where a claim for compensation is made, you need to consider whether responsibility rests with you. For example, if you are a data controller who believes that responsibility lies with a data processor, it may be that liability for the claim can be shifted. However, where responsibility lies with you both, any liability that arises will do so on a joint and several basis, which means that a data subject could choose to pursue you alone, although in these circumstances you would of course have the right to claim a contribution from the processor.
It is also important to note that there is a defence available to compensation claims if you can show that you were in no way responsible for the event giving rise to the damage claimed.
With the introduction of new rights for data subjects, including the much publicised right to be forgotten, there is potential for disputes to arise where there is a debate to be had about whether the right can be enforced. The right to be forgotten, for example, does not apply where, among other things, the data is needed to help establish or defend a legal claim or to comply with a legal obligation.
Disputes between you and a data subject have the potential to be very costly and time consuming, and therefore need to be handled with care.