BY SAMANTHA WRIGHT, MEDIA DIRECTOR.
We are operating in changing times. The impending GDPR in May 2018 will see the biggest shake up of data protection in many of our lifetimes. Much has already been written and debated on this subject, with mainstream media seemingly catching on very recently, however, for many within the direct marketing industry, the implications of the changing regulations are already having a profound impact on the terms under which we operate, with our clients and suppliers alike.
With the growing fears about the potential fines around misuse of data and PII, there is a noticeable trend for organisations to increasingly push as much responsibility as possible onto third parties; the requirement for others in the supply chain to accept unlimited liability for any contractual breach, is on the increase.
In an ideal world, the theory of data protection law should mirror that in practice, but it is rarely the case. All parties involved will endeavour to protect themselves from undue commercial risk, and this is where the contractual negotiations begin. With the increased scrutiny on individual’s privacy protection, and the ICO’s vision to ‘increase the confidence that the UK public have in organisations that process personal data’, organisations are looking to increase the level of data protection liability provided by their suppliers, and will often look to make these unlimited where possible.
Historically, it would be typical to see a capped liability of 2 or 3 x the value of the contract, and often, not exceeding £500,000, as to date that has been the maximum level that the ICO have been able to fine an organisation. Under GDPR, those fines can increase up to 4% of the annual global turnover of that organisation. It’s therefore understandable why clients (who under GDPR, are more clearly identified as the Data Controllers), wish to limit their exposure to the potentially huge fines, and pass on that liability to the suppliers that they are engaging under Contract. The suppliers in turn, will aim for a back-to-back contract with any of their third party dependents to ensure that, should there be a breach that is not their fault, they will be able to recover the majority, if not all, of the costs incurred. And so on and so forth…
Can third parties survive in a market that demands unlimited liability? What does this mean for smaller suppliers/agencies/organisations in the future – will we see more and more small companies taking on unlimited liability contracts in order to be able to win new business, but subject to any breach, large or small, they are potentially put out of business when they are faced with unrestricted fines which they cannot afford to pay?
The aim of the GDPR is to align and strengthen the data protection of all individuals within the EU, bringing legislation up-to-date in an increasingly digital economy. I don’t believe it is designed to make every EU business tie themselves up in legal knots, spending months negotiating the finer points of a contract and/or suing every party in the chain for alleged breaches to their contracts. Indeed, if businesses adopt compliant procedures and processes, and monitor their ongoing, correct implementation, then they are unlikely to be the subject of a fine, a breach of contract, or damages claim.
Going forwards, what is needed is for organisations to develop a greater understanding of their role as an organisation within the legal context (e.g Response One acting as a Data Processor) and the dependencies of each party in the supply chain, and what is reasonably practicable in order for organisations to carry out their business functions.
It then becomes a question of what is the level of commercial risk and then, what is an acceptable liability cap, given the nature of the working partnership, and what can be agreed as commercially acceptable to both parties?
To answer this question, there are some areas for consideration:
· What is a realistic level of liability required? Are you, as a Data Controller or Data Processor, handling significant volumes of PII data, or sensitive PII data? Are there processes or policies in place which require the demonstration of a high level of data security?
· The contract terms and value - what is the value of the contract being awarded? Do you need to offer such a high liability level if the value of the contract isn’t sufficient to warrant it? How long is the contract term? Does it justify a higher/lower liability cap? Is your contract exclusive?
· What insurance do you have in place, and how well does it protect your business from a claim? Is it going to be sufficient under GDPR and does it protect your organisation against data protection breaches as well as data security incidents? What is currently excluded? Does it need updating ahead of May 2018 to ensure its adequacy?
We do not want to see organisations which have hitherto had a mutually beneficial working partnership and a good degree of trust and confidence in said relationship, through purely contractual motivations, unwilling or unable to work together in future, or having to adopt processes and procedures which at best, are counter-productive to the actual commercial and operational aims of the organisations. It’s about ensuring that organisations can continue to benefit from the work of the nimble and strategically innovative agencies who help them to drive their businesses forward, and that the threat or perceived threat of contractual and privacy breaches does not stifle industry itself.