We are operating in changing times.
The introduction of the GDPR in May 2018 is the biggest shake-up of data protection in many of our lifetimes. Much has already been written and debated on this subject, with mainstream media seemingly catching on only in the months before implementation. However, for many within the direct marketing industry, the changing regulations have had a profound impact on the terms under which we operate with our clients and suppliers for some time.
With growing fears about the potential fines around misuse of data and Personal Identifiable Information (PII), there has been a noticeable trend for organisations to push as much responsibility as possible onto third parties. As such, the requirement for others in the supply chain to accept unlimited liability for any contractual breach is on the increase.
In an ideal world, the theory of data protection law should mirror the practice. But this is rarely the case. All parties involved will endeavour to protect themselves from undue commercial risk and this is where the contractual negotiations begin. With increased scrutiny on an individual’s privacy protection, and the Information Commissioner’s Office (ICO) vision to “increase the confidence that the UK public have in organisations that process personal data”, organisations are looking to increase the level of data protection liability provided by their suppliers. They will often look to make these unlimited where possible.
Historically, it would be typical to see a capped liability of two or three times the value of the contract and often not exceeding £500,000. Until recently, that was the maximum level at which the ICO could fine an organisation. Under GDPR, those fines can increase up to 4% of the annual global turnover. It is therefore understandable that clients (those that under the GDPR are more clearly identified as the Data Controllers), wish to limit their exposure to the potentially huge fines and pass on that liability to the suppliers they are engaging under contract. The suppliers in turn, will aim for a back-to-back contract with any of their third party dependents to ensure that, should there be a breach that is not their fault, they will be able to recover the majority, if not all, of the costs incurred. And so on and so forth…
Can third parties survive in a market that demands unlimited liability? What does this mean for smaller suppliers/agencies/organisations in the future? Will we see more and more small companies taking on unlimited liability contracts to be able to win new business? But if they are then subject to a breach, large or small, are they potentially put out of business when they faced with unrestricted fines that they cannot afford to pay?
The aim of the GDPR is to align and strengthen the data protection of all individuals within the EU by bringing legislation up-to-date in an increasingly digital economy. I don’t believe it is designed to make every EU business tie themselves up in legal knots, spending months negotiating the finer points of a contract and/or suing every party in the chain for alleged breaches to their contracts. Indeed, if businesses adopt compliant procedures and processes – and monitor their ongoing, correct implementation – then they are unlikely to be the subject of a fine, a breach of contract, or a claim for damages.
What is needed is for organisations to develop a greater understanding of their role as an organisation within the legal context (e.g. Edit acting as a Data Processor). They also need to get to grips with the dependencies of each party in the supply chain and what is reasonably practicable so that organisations can carry out their business functions.
It becomes a question of what is the level of commercial risk, what is an acceptable liability cap (given the nature of the working partnership) and what can be agreed as commercially acceptable to both parties?
To answer this, there are some further considerations:
- What is a realistic level of liability required? Are you, as a Data Controller or Data Processor, handling significant volumes of PII data and/or sensitive PII data? Are there processes or policies in place that require you to demonstrate a high level of data security?
- What are the terms and value of the contract? Do you need to offer such a high level of liability if the value of the contract isn’t sufficient to warrant it? Does the length of the contract justify a higher or lower liability cap? Is your contract exclusive?
- What insurance do you have in place and how well does it protect your business from a claim? Is it going to be sufficient under the GDPR and does it protect your organisation against data protection breaches as well as data security incidents? What is currently excluded? Does it need updating in line with the GDPR to ensure its adequacy?
We do not want to see organisations that previously had a mutually beneficial working partnership and a good degree of trust and confidence unwilling or unable to work together. We also don’t want to see them having to adopt processes and procedures that, at best, are counter-productive to the actual commercial and operational aims of the organisations involved.
What we should all want to see is organisations able to continue benefitting from the work of nimble and strategically innovative agencies – those that help them to drive their businesses forward. Most importantly, we should also want to see that the threat or perceived threat of contractual and privacy breaches that come out of new regulations does not stifle industry itself.