The General Data Protection Regulation: A Game-Changer for Data Processors

With less than a year until the General Data Protection Regulation (GDPR) becomes directly applicable in EU Member States, data processors are facing significant changes to their processing obligations and, for the first time, will be subject to direct compliance requirements by law. Understanding these changes, the potential associated costs, and the implications for risk management strategies are important steps to preparing for the new legislation, particularly for communications, media, and technology (CMT) companies.

Currently, data processors’ obligations are defined in their contracts with data controllers. If a data breach occurs for which the processor is responsible, it is likely to manifest as a first-party regulatory exposure for the controller and a third-party errors and omissions exposure for the processor. The controller would be subject to any regulatory enforcement action (including fines) in addition to claims for compensation from individuals and then seek recourse/damages from the outsourced service provider as a claim for breach of contract.

THE CHANGES UNDER THE GDPR AND IMPLICATIONS FOR CMT COMPANIES

The Regulation introduces direct obligations and liabilities on data processors as outlined in Marsh’s recent adviser. Going forward, data processors will now be exposed to regulatory enforcement action as well as claims for compensation from individuals and contractual claims from the data controllers as a result of a breach of their processing obligations.

The GDPR significantly increases the fine that may be levied in the event of an infringement of the data protection law. Currently in the UK, the maximum fine for non-compliance with the Data Protection Act 1998 is GBP500,000. Under the GDPR, this will be increased to a maximum of EUR10 million or 2% of total annual worldwide turnover (whichever is higher) for less serious violations, or up to EUR20 million or 4% (whichever is higher) for more serious violations.

Furthermore, many organisations that were not previously subject to EU data protection law will now find they are captured by the new Regulation, due to the expanded territorial scope of the legislation. Data processors and controllers based outside the EU will also need to comply with the GDPR if their processing relates to the offering of goods or services (even for free) to and/or the monitoring of behaviour of individuals in the EU.

As part of their wider preparations for the GDPR, data processors should be reviewing their insurance programmes and addressing the following key questions:

• Does it deliver adequate protection for a breach of privacy law and regulation?
• Does it deliver adequate protection for legally insurable fines imposed by a data protection supervisory authority?