GDPR … what’s all the liability about?
November 23, 2018
The General Data Protection Regulation (GDPR) came into effect in all EU Member States on 25 May 2018, which means it is now only lawful for a data processor to process personal data on behalf of a data controller if the processing takes place under a written contract that contains certain mandatory contract terms.
The average commercial organisation may have hundreds, if not thousands, of third party agreements under which personal data is processed and many of these agreements will have been concluded well before the GDPR came into force.
For most organisations, particularly data processors, the GDPR fundamentally changed the risk profile of their commercial relationships with clients, customers or suppliers. As both data processors and data controllers can now be fined up to 4% of their annual global turnover (and processors can now also be held liable for security breaches), organisations are becoming increasingly resistant to accepting uncapped and unlimited liability for losses arising as a result of obligations in respect of personal data.
Many organisations are now struggling to identify the liability caps that would be acceptable to them and would provide them with sufficient ability to recover their losses flowing from a data leak / breach. Whilst each organisation will take its own view as to the factors that matter most to it when deciding what is acceptable risk under a contract, we have set out below our thoughts on issues that are often overlooked when negotiating liability provisions:
- Market / Industry ‘standard’ – There has been a lot of talk amongst data protection and commercial lawyers about a ‘market’ or ‘industry’ standard for liability caps, presumably based on an average of the different levels of liability organisations are willing to accept for a breach of data processing contract provisions. The problem with ‘market’ or ‘industry’ standards is that for every organisation that accepts an ‘industry standard’ (whether 2, 3 or 4 times contract value) there are a handful of organisations that do not accept the industry standard. Sometimes, it is more helpful during negotiations to disregard market standard liability regimes altogether so that the parties can arrive at a position that better reflects the reality of the engagement the parties are entering into.
- Value of relationship / services – Many organisations, particularly suppliers, will be unwilling to accept high amounts of risk on engagements where the fees, or profitability, are low. In many cases, customers will need to accept that, whilst a supplier’s engagement margin or profitability is not anywhere near a customer’s key concern, the customer is unlikely to obtain gold plated contract terms from a supplier from which they have obtained very favourable commercial terms.
- Data protection compliance – The GDPR requires data controllers to only engage those data processors who can provide sufficient assurances with regard to their data protection compliance programme. Customers should therefore establish a rating / ranking system to be used as part of the organisations’ evaluation criteria in its procurement process, and customers may be prepared to accept more balanced liability provisions (offer just as much ‘carrot’ as ‘stick’ in negotiations) from those suppliers that can demonstrate that their data protection compliance programmes are as good as, if not better than, the industry standard.
- Structure of liability cap – It will be important to establish not just the quantum of the liability cap your organisation could accept, but also how the liability cap agreed should be constructed. Do you negotiate a separate liability cap, often called a ‘super cap’ or an ‘enhanced’ liability cap (where the cap is increased for data protection losses only if the general liability cap is exhausted)? Should each statement of work under a framework agreement / MSA attract its own (and potentially much lower) individual liability cap or should the liability cap aggregate fees across multiple engagements? Should the framework agreement / MSA level liability cap refresh or reset annually, or should there be one overarching liability cap for the entire life of the framework agreement / MSA? Establishing what your organisation’s preferred construct early on will most certainly speed up contract negotiations.
- Other mitigation measures – Organisations may also look to include indemnity protection in their agreements or even take out insurance coverage against losses that they may incur; for example, in relation to the internal costs of managing a data breach.
The biggest issue facing organisations today is not just the complexity of the contract negotiations that are required to resolve data protection matters but also the sheer volume of agreements that have been affected. The key question is, how do you re-paper hundreds and thousands of agreements without setting up a GDPR ‘cottage industry’?
At PwC, we think the answer is innovation … and that’s why we’re on a journey to code.