In addition, the Data Protection Act 1998 was repealed and replaced by a new Data Protection Act 2018 on the same day.
This has dramatically altered the regulatory and litigation landscape faced by businesses and their directors when dealing with personal data.
Organisations holding and processing data have always been required to process it in a lawful, fair and transparent manner.
This includes data relating to customers and employees. However, the GDPR places a much higher burden on the accountability of organisations to comply with its principles. In particular, businesses must now evidence how they are complying with the regulations.
What amounts to an appropriate measure is not defined, but it must be “proportionate” to the nature and scope of data being processed and the likelihood and severity of risks to that data.Further, data subjects are increasingly aware of their rights and the GDPR requires them to be notified in the event that a data breach occurs. The GDPR imposes significant financial fines on businesses of up to Euro 20m (£17.6m) or 4 per cent of global turnover, whichever is higher.
It also exposes directors to criminal sanctions. Directors are therefore facing a perfect storm with increased public awareness of their rights over data, combined with the threat of increased fines and personal culpability.
An organisation must implement “appropriate technical and organisational measures” to demonstrate that data processing is performed in accordance with the GDPR.
What amounts to an appropriate measure is not defined, but it must be “proportionate” to the nature and scope of data being processed and the likelihood and severity of risks to that data.
Responsibilities
Larger organisations (with more resource, employees, customers and data) will necessarily be required to implement more rigorous data protection regimes, policies and training to demonstrate their compliance with the GDPR compared with SME businesses.
In addition to the significant administrative fines imposed by the Information Commissioner's Office (ICO), the GDPR stipulates that any person who suffers material or non-material damage as a result of a breach has the right to receive compensation from the organisation responsible.
The only defence is if the organisation can demonstrate that “it is not in any way responsible for the event giving rise to the damage”. This is a high test to meet and is additional to a civil liability for any damage suffered.
The phrase “non-material damage” allows for compensation to be awarded for distress and inconvenience where no financial loss has been suffered.
As well as this individual right of action, the GDPR contains provisions that may encourage group actions for data breaches.
Data subjects have the right to instruct a not-for-profit organisation “to exercise the right to receive compensation” on their behalf.
It is likely that this provision will be used as a vehicle for claims to be brought on behalf of a group of individuals in the event of a data breach.
Key points
- Legislation has dramatically changed the regulatory landscape over the handling of data
- Anyone suffering damage from a data breach has the right to receive compensation
- Following the incident suffered by Dixons Carphone, the company is trying to determine how many people were compromised
This could have far-reaching consequences where a data breach results in thousands or millions of individuals having their personal data compromised and those individuals group together to bring a claim.
Litigation?
Clearly the introduction of the GDPR has increased the risk of data protection litigation. Indeed, it is arguable that the GDPR contains provisions that target and promote best practice and governance through civil accountability, rather than through formal regulation.
In practice, we anticipate that the principles will encourage awareness of the need to protect and manage data. However, the GDPR contains increased and enhanced rights for data subjects that they may wish to enforce against businesses.
In the event of a security breach, organisations may be obliged to report the breach to the ICO within 72 hours. Further, businesses must also inform affected individuals (data subjects) where that security breach is likely to result in a high risk to them.
This will require businesses to determine the scope of any breach, including who has been affected and what data has been breached, urgently, because they must inform the data subjects “without undue delay”. This may not be straightforward.
The data incident suffered by Dixons Carphone will doubtless be heavily scrutinised by the ICO, not least because of the volume of data involved. Dixons Carphone is urgently investigating the breach, which is understood to have started in July 2017, but was only discovered in June 2018.
One of the problems faced by Dixons Carphone will be in determining precisely what information has been compromised. All that is known is that 1.2m personal data records have been accessed and that there “was an attempt to compromise” 5.9m credit and debit cards.
Although this breach appears to have occurred before the implementation of the GDPR, the company has said that it will inform those individuals who have had personal, non-financial data accessed.
It is, however, unclear whether the incident continued after the GDPR and the new Data Protection Act 2018 applied.
The ICO may well impose a significant fine because it follows a similar event that occurred in 2015. The ICO issued the company with a penalty of £400,000 for a system failure that allowed unauthorised access to the personal data of more than 3m customers and 1,000 employees.
This was one of the largest fines imposed by the ICO under the previous regime.
Liability
The impact that the GDPR will have on personal liability of directors and officers remains uncertain. It would appear that liability falls firmly on the organisation (as controller) to comply and demonstrate its compliance with the GDPR.
However, company directors will doubtless be subject to claims in the event a company breaches data protection legislation that results in a reduction in shareholder value as a consequence of the breach.
Following the recent data breach admitted by Dixons Carphone, its share value fell more than 3 per cent in early trading.
In some instances, organisations must nominate an individual to act as a data protection officer (DPO) and, based on the level of responsibility that this role entails, DPOs will commonly be senior managers or directors.
However, the GDPR does not provide for personal liability of the DPO. But a DPO is likely to seek an indemnity from the business in the event they are subject to regulatory action for any breach.
Insurance
The risk to company directors and offices has necessarily increased as a consequence of the introduction of the GDPR, and the size of the administrative fines that businesses are now subject to for a data breach has increased dramatically.
This, combined with the increased risk of litigation, has made the corporate environment significantly more hazardous.
Insurers can assist businesses to a degree; however, any insurance policy is unlikely to cover ICO fines.
This is because it is against public policy to insure against penalties imposed by a regulatory body.
Where an insurance policy can assist is in funding the legal fees to investigate and respond to an investigation launched by the ICO.
It is for any business to ensure that it implements “appropriate technical and organisational measures” to have any form of defence to either an ICO investigation, a claim by the data subjects or its shareholders in the event of a data breach.
Michael Howard and Mark Gleeson are members of the directors and officers group at the Forum of Insurance Lawyers (FOIL), and partners at Browne Jacobson
