In September 2020 SaaS provider Shopify admitted that two rogue members of their support team had stolen customer personal data from around 100 merchants. The personal data consisted of, names, postal addresses and other information. Shopify investigated the incident and were able to conclude that none of the data was used and that the financial data was unaffected. But imagine if it was used, consider the impact?
Here we review the obligations of data processors and controllers, and discuss your company’s responsibilities and those of your supplier.
- What’s a personal data breach?
- What are the consequences of a GDPR breach?
- Working out who is the data controller under your supplier relationship
- Controller obligations in case of supplier breach
- How to minimise third-party data risk
What’s a personal data breach?
Under GDPR a personal data breach is described as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.’
A personal data breach is probably the worst thing that could happen to a supplier (processor) as well as a controller. A processor has many responsibilities towards their controller client, and one of them is to ensure that there are technical and organisational measures in place to process the personal data and inform the controller without undue delay of any personal data breach.
Whilst a processor would do their best to look after the personal data that they process on behalf of the controller, we all know that data can never be 100% secure, especially in the virtual world. It is known that cyber identify fraud is the fastest growing risk from which hackers use to gain access to our personal data.
What are the consequences of a GDPR breach?
A personal data breach by a processor can have many consequences. A data processor has a lot of responsibilities and duties towards controllers and one of them is to ensure personal data is kept secure and safe.
There are many consequences for businesses when a personal data breach occurs, however, we list what we believe as our top 3:
- Fines - People have an expectation that their personal data will be secure when it is processed. There are severe penalties for not processing personal data either for the reason it was collected or allowing the data to be lost, accessed or destroyed. Supervisory authorities have the power to issue fines of up to 20 million euros or 4% of the breached organisations’ annual global turnover, whichever is higher. The fines are not limited to financial penalties, the supervisory authorities also have the power to take enforcement action.
- Reputational Damage – this can be, at times, worse than a fine. A company can get over a fine and probably still sustain profitability (or just about), however, if word gets out that there have been failures in your technical or organisational systems, or even rogue employees such as the case in Shopify, then this can cause major reputational damage. It can be said to be a dominoes effect, such as where there has been one breach with a controller or processor client, the rest are likely to withdraw their business, after all good news travels fast, but bad news travels even faster.
- Revenue loss – Studies show that 29% of businesses that face a data breach end up losing revenue, some of which end up experiencing such a loss that they are unable to sustain the situation.
Working out who is the data controller under your supplier relationship
The party that determines what personal data is to be processed would be the controller, and the party that follows the instructions of the controller is the service provider, better known as the processor. The ICO provides a simple example to illustrate this point:
‘A private company provides software to process the daily pupil attendance records of a state-maintained school. Using the software, the company gives attendance reports to the school. The company’s sole purpose in processing the attendance data is to provide this service to the school. The school sets the purpose – to assess attendance. The company has no need to retain the data after it has produced the report. It does not determine the purposes of the processing; it merely provides the processing service. This company is likely to be a processor.‘
The school would be the controller as they are determining what personal data to process. Whereas the company is acting on the controllers instructions and carries out the said processing activities.
Whilst a party can be both controller and processor for different purposes, they cannot be both roles for the same processing activity. It may be the case that the processor wishes to engage another sub-processor to assist with the processing activity for which they have been instructed. Any processors would be regarded as sub-processors and the same obligations would follow down the chain. So, in the above example, if the company engaged another sub-processor to do some of the processing activities, they will always be processors.
Your GDPR obligations would also depend on whether you are a controller or processor. Essentially a controller would have more obligations and exercise ultimate control, whereas the processor would have less obligations and would be restricted as to what they would do with the personal data.
Data Processing Terms
The services that a processor would provide would be limited to the controller’s instructions. The processor would not exercise any control over the purpose for which the personal data is processed. Article 28(3) GDPR requires a contract to stipulate the nature and purpose of the processing. This would be the reason why the controller wishes to instruct the processor. The clauses would apply to the delivery of the services specified in the body of any substantive agreement.
Should there be any ambiguity in role determination, the data processing agreement would be the first place to look. The contract would include precedent clauses which would include, but are not limited to:
- The processor must only act on the controller’s documented instructions,
- The processor must take technical and organisational measures to ensure the security of processing.
- The processor must only engage a sub-processor with the controller’s prior authorisation and under a written contract.
- The processor must take appropriate measures to help the controller respond to requests from individuals to exercise their rights.
- The processor must assist the controller in meeting its UK GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments.
- The processor must delete or return all personal data to the controller upon termination of the contract.
- The processor must submit to audits and inspections.
Controller obligations in case of supplier breach
If there is a breach, the supplier would have to notify immediately up the chain, in accordance with their contractual obligations. The supplier contracted with the controller would notify the controller immediately of any personal data breach in accordance with Article 33 GDPR. So, despite the original supplier using sub-processors, that original supplier would be directly liable to the controller for the sub-processor's obligations. The requirements on reporting a personal data breach should be contained within the data processing agreement.
Notifying the ICO
A controller has a duty to notify the ICO of a 'serious personal data breach' without undue delay and within 72 hours of becoming aware. The processor will provide as much information as possible to the controller in order for the controller to make a determination where the breach is reportable to the ICO.
Notifying the customers
The controller would also determine whether the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms. If their rights and freedoms are affected, then the controller must also inform those individuals without undue delay.
GDPR gives individuals a right to claim compensation against a controller if they have suffered damage due to a personal data breach. This includes both ‘material and non-material damage’. The ICO does not have the power to award compensation so an individual would need to make an application to the court. An individual can also bring a claim directly against a processor in court. A processor can be held liable under Article 82 to pay compensation for any damage caused by processing, including non-material damage such as distress. A processor will only be liable for the damage if:
- it has failed to comply with UK GDPR provisions specifically relating to processors; or
- it has acted without the controller’s lawful instructions, or against those instructions.
A processor will not be liable if it can prove it is not responsible for the cause giving rise to the damage.
The landmark judgment in Lloyd v Google LLC  is the leading authority on damages for breaches of data protection laws (despite the lawsuit being bought under the Data Protection Act 1998, it will apply equally to the Data Protection Act 2018). The decision would mean it’s highly unlikely for private claims for damages to be bought in the masses against controllers.
How to minimise third-party data risk
Data processing agreements are carefully drafted documents and it's important to get them right. The case of Schrems II states transfer impact assessments need conducting prior to any transfer of personal data cross border to non-adequate countries. It’s not always the case that processors are based in the EEA or the UK, many service providers are based across the globe, such as in the US. It is necessary to ensure you have adequate safeguards in place to be able to transfer personal data to your processor cross border.
Our specialist data protection solicitors can assist in evaluating the actual risk against the nature and purpose of processing and provide specific advice in how to deal with any risk.
We can help in negotiating limitation on liability clauses and advise on any liability caps. This can in turn assist in you buying the right level of insurance in line and proportionate to your business and processing activities. Data breach insurance can offer businesses protection against liabilities arising from data breaches, we can help you decide what level of insurance would be appropriate having considered your business model.