If your supplier suffers a data protection breach, you may still be liable – even if your own systems are secure.
Under UK data protection laws, the liability for a personal data breach doesn’t end with the party directly responsible for the breach. You must understand your obligations as either a data controller or data processor in any supplier relationship, especially as cyber attacks and insider threats become more sophisticated.
Our experienced data protection solicitors can help you assess your exposure, structure robust data processing agreements, and ensure that, contractually and operationally, your business is protected when things go wrong.
Jump to:
What’s a personal data breach?
Under GDPR, a personal data breach is described as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.’
A personal data breach is probably the worst thing that could happen to a supplier (processor) as well as a controller. A processor has many responsibilities towards their controller client, one of which is to ensure that technical and organisational measures are in place to process personal data and inform the controller without undue delay of any personal data breach.
Whilst a processor would do their best to look after the personal data that they process on behalf of the controller, we all know that data can never be 100% secure, especially in the virtual world. It is known that cyber identity fraud is the fastest-growing risk through which hackers gain access to our personal data.
What are the consequences of a supplier data breach?
A personal data breach by a processor can have many consequences. A data processor has numerous responsibilities and duties towards controllers, one of which is to ensure that personal data is kept secure and safe.
There are many consequences for businesses when a personal data breach occurs; however, we list what we believe as our top 3:
- Fines - People have an expectation that their personal data will be secure when it is processed. There are severe penalties for not processing personal data either for the reason it was collected or allowing the data to be lost, accessed or destroyed. Supervisory authorities have the power to issue fines of up to 20 million euros or 4% of the breached organisations’ annual global turnover, whichever is higher. The fines are not limited to financial penalties; the supervisory authorities also have the power to take enforcement action.
- Reputational Damage – this can be, at times, worse than a fine. A company can get over a fine and probably still sustain profitability (or just about), however, if word gets out that there have been failures in your technical or organisational systems, or even rogue employees such as the case in Shopify, then this can cause major reputational damage. It can be likened to a domino effect, where a single breach involving a controller or processor client is likely to prompt the rest to withdraw their business. After all, good news travels fast, but bad news travels even faster.
- Revenue loss – Studies show that 29% of businesses that face a data breach end up losing revenue, some of which end up experiencing such a loss that they are unable to sustain the situation.
Working out who is the data controller under your supplier relationship
The party that determines what personal data is to be processed is the controller, and the party that follows the controller's instructions is the service provider, also known as the processor. The ICO provides a simple example to illustrate this point:
‘A private company provides software to process the daily pupil attendance records of a state-maintained school. Using the software, the company gives attendance reports to the school. The company’s sole purpose in processing the attendance data is to provide this service to the school. The school sets the purpose – to assess attendance. The company has no need to retain the data after it has produced the report. It does not determine the purposes of the processing; it merely provides the processing service. This company is likely to be a processor.‘
The school would be the controller, as it determines what personal data to process. Whereas the company is acting on the controller's instructions and carries out the said processing activities.
Whilst a party can be both controller and processor for different purposes, they cannot be both roles for the same processing activity. It may be the case that the processor wishes to engage another sub-processor to assist with the processing activity for which they have been instructed. Any processors would be regarded as sub-processors, and the same obligations would follow down the chain. So, in the above example, if the company engages another sub-processor to perform some of the processing activities, it will always be considered a processor.
Your GDPR obligations would also depend on whether you are a controller or a processor. Essentially, a controller would have more obligations and exercise ultimate control. In contrast, the processor would have fewer obligations and would be restricted in what they could do with the personal data.
Data Processing Terms
The services that a processor would provide would be limited to the controller’s instructions. The processor would not exercise any control over the purpose for which the personal data is processed. Article 28(3) of the GDPR requires a contract to specify the nature and purpose of the processing. This is the reason the controller wishes to instruct the processor. The clauses would apply to the delivery of the services specified in the body of any substantive agreement.
Should there be any ambiguity in role determination, the data processing agreement would be the first place to look. The contract would include precedent clauses which would include, but are not limited to:
- The processor must only act on the controller’s documented instructions,
- The processor must take technical and organisational measures to ensure the security of processing.
- The processor must only engage a sub-processor with the controller’s prior authorisation and under a written contract.
- The processor must take appropriate measures to assist the controller in responding to requests from individuals to exercise their rights.
- The processor must assist the controller in meeting its UK GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments.
- The processor must delete or return all personal data to the controller upon termination of the contract.
- The processor must submit to audits and inspections.
Controller obligations in case of supplier breach
If a breach occurs, the supplier must notify the relevant parties immediately, following their contractual obligations. The supplier contracted with the controller would notify the controller immediately of any personal data breach in accordance with Article 33 GDPR. So, despite the original supplier using sub-processors, that original supplier would be directly liable to the controller for the sub-processor's obligations. The requirements for reporting a personal data breach should be contained within the data processing agreement.
Notifying the ICO
A controller has a duty to notify the ICO of a 'serious personal data breach' without undue delay and within 72 hours of becoming aware. The processor will provide as much information as possible to the controller, enabling the controller to determine where the breach is reportable to the ICO.
Notifying the customers
The controller would also determine whether the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms. If their rights and freedoms are affected, then the controller must also inform those individuals without undue delay.
Paying compensation
GDPR gives individuals the right to claim compensation against a controller if they have suffered damage due to a personal data breach. This includes both ‘material and non-material damage’. The ICO does not have the power to award compensation, so an individual would need to make an application to the court. An individual can also bring a claim directly against a processor in court. A processor can be held liable under Article 82 to pay compensation for any damage caused by processing, including non-material damage such as distress. A processor will only be liable for the damage if:
- it has failed to comply with UK GDPR provisions specifically relating to processors, or
- it has acted without the controller’s lawful instructions, or against those instructions.
A processor will not be liable if it can prove it is not responsible for the cause giving rise to the damage.
The landmark judgment in Lloyd v Google LLC [2021] is the leading authority on damages for breaches of data protection laws (despite the lawsuit being brought under the Data Protection Act 1998, it will apply equally to the Data Protection Act 2018). The decision would mean it’s highly unlikely for private claims for damages to be brought en masse against controllers.
Cross-border data transfers
Data processing agreements are carefully drafted documents, and it's important to get them right. The case of Schrems II states that transfer impact assessments need to be conducted before any transfer of personal data cross-border to non-adequate countries. It’s not always the case that processors are based in the EEA or the UK; many service providers are based across the globe, such as in the US. It is necessary to ensure you have adequate safeguards in place to be able to transfer personal data to your processor cross-border. If in the EU, you must ensure that your transfers comply with UK international data transfer laws or if you are transferring personal data out of the UK to the US, via the ‘UK-US Data Bridge.
Protecting your business from third-party data breaches
A well-drafted data processing agreement is your first line of defence, but it’s only part of the picture. The way you assess risk, manage cross-border data transfers, allocate liability, and respond to breaches must all align with your business’s operational model and legal obligations. Whether you're renegotiating supplier contracts, navigating international data flows, or reviewing your data breach insurance, our data protection solicitors can work with you to build a resilient, compliant framework that protects both your customers’ data and your commercial interests.