Business Legal Services
We offer a wide range of legal services for businesses of all sizes, with pricing plans designed for start-up, small and venture-backed businesses and medium to large businesses.
Find out more
Business Disputes
Business Immigration Law
We advise businesses, entrepreneurs, investors and educational establishments on all aspects of UK immigration law, from recruiting overseas staff to ensuring ongoing compliance obligations are being met with the UK Visas and Immigration (UKVI).
Find out more
Commercial Law
Commercial Property Law
Construction Law
Corporate Law
Data Protection & Privacy Law
Employee Incentive Arrangements
Employment Law
Finance & Investment
Financial Services Regulation
Insolvency & Corporate Recovery
We support entrepreneurs, stakeholders and executive leadership confronted with financial difficulties. We also insolvency practitioners, creditors and individuals. Our insolvency team can help you choose a recovery or exit strategy that’s right for you.
Find out more
Intellectual Property
IT & Commercial Technology Law
Business Life Cycle
Our Business Life Cycle is designed to guide you through the different situations you’re likely to encounter on your business journey.
Overview 
Sectors
Our senior solicitors have built up a wealth of specialist sector knowledge throughout their careers. We appreciate that one size never fits all, which is why we leverage our team's sector knowledge through a multi-disciplinary approach to providing you with tailored and relevant advice. Our sector focused interest and experience enables us to provide up-to-the-minute advice and help you to anticipate the legal impact of potential future changes on your business.
Find out more
Creative Industries
Our creative sector solicitors keep abreast of the latest cases, legislative changes, and industry developments, to ensure our clients receive smart, pragmatic, insightful, and tailored legal services. We provide expert legal advice and representation in relation to all creative endeavours, including clients in advertising and marketing, television, theatre, music, art, publishing, architecture, technology, and all spheres of design.
Find out more
Energy, Utilities & Environment
Our energy, utilities and environment solicitors are expert legal advisers to the industry, including individual and institutional investors and funders, technical advisors, developers, entrepreneurs, utility firms, environmental and waste technology companies, landowners, aggregators, CICs, inventors and environmental scientists, contractors and suppliers and have vast experience in the sector.
Find out more
Life Sciences
Our multi-disciplinary life sciences legal team has specific sector experience, and our life sciences lawyers cover a range of areas such as risk assessment and management, manufacturing and supply chain issues, compliance review and advice including product liability, intellectual property issues and the development of IP strategies, data protection and GDPR advice, licensing and contractual issues, financial advice and mergers and acquisitions, as well as disputes and litigation management.
Find out more
Manufacturing & Engineering
Our manufacturing and engineering lawyers have an in-depth understanding of these sectors and the needs of businesses. We understand the vast and vital contribution manufacturing and engineering businesses make towards the British economy. Our solicitors partner with clients within these sectors to ensure their interests are protected and their commercial ambitions are achieved.
Find out more
Public Sector
Whether you’re situated directly within the public sector or you’re a commercial partner, our public sector solicitors can help you with all areas of business law you’re likely to need advice on, from banking and finance, commercial tenders and contracts, dispute resolution, real estate, intellectual property, data protection, employment law and much more.
Find out more
Retail & Luxury Brands
Whatever your business within the retail sector, our retail lawyers understand this challenging market and work across a range of areas including e-commerce, corporate and commercial, commercial property, dispute resolution and employment law to help advise and provide solutions for your business.
Find out more
Sports
Our sports law solicitors have expertise in the latest sports law and they also understand the industry; including its structures, regulations, challenges, pressures, trends, and developments. We offer legal advice and representation to national governing bodies, international federations, sports clubs, and athletes in any sport, whether amateur or professional.
Find out more
Start-ups
Our team of experienced senior solicitors are business and finance law specialists, with a proven track record in supporting start-ups - they have the legal skills and experience to help founders who want to get things right from day one. We act for start-up companies, entrepreneurs, founders, boards and individual directors of early-stage companies, financial institutions, and investors considering investment under the EIS and SEIS schemes.
Find out more
Technology
Our expert technology solicitors advise both specialist technology companies as well as their partners, customers, and users. We understand the commercial issues involved in tech depend on the services and products involved, which is why we endeavour to understand your niche and its implications. Whether you are a crowdfunded start-up or a large multi-national, our dedicated team of technology specialists are adept at acting for you wherever and whenever technology defines or intersects your organisation.
Find out more
Our Pricing & Service Plans
Our Pricing & Service Plans
Our unique subscription plans coupled with our remote operating model allow us to deliver expert legal advice, from partner level lawyers, at a fraction of the cost compared with traditional law firms. Our Enterprise and On-demand plans help you spread the cost of advice and access discounted rates, providing flexibility, peace of mind and plans that can scale with your business.
See Our Pricing Plans
The City Plan
Our City service provides you flexible access to our experienced lawyers, with no fixed monthly cost and low hourly rates, from £250 per hour. Whatever legal assistance you need, we can help you and the cost of using our experienced lawyers will provide a significant saving compared to those associated with traditional law firms.
See Our Pricing Plans
The Enterprise Plan
Our Enterprise subscription package is specifically designed for start-ups and smaller sized businesses. With a £189 monthly subscription fee and additional legal support from senior solicitors at £125 per hour, it includes 1-hour of free legal support per month which rolls over if unused.
See Our Pricing Plans
The On-demand Plan
Our On-demand plan is a smarter way for high-growth and established businesses to get legal advice. A the fully account managed quarterly subscription service which provides you with priority access to experienced partner-level solicitors, recruited from top 100 UK law firms, whenever you need them, at an affordable and flexible budget set by you.
See Our Pricing Plans
About Us
Harper James is a new breed of commercial law firm – a national law firm designed exclusively to champion ambitious and entrepreneurial businesses, enabling them to access expert legal advice at an affordable cost when they need it most. We work with start-ups through to established businesses that have been running for years or looking to scale, futurecorns and unicorns as well as those ready to sell and often build their next business.
Find out more
Careers
Work with like-minded individuals and free from the bureaucracy of traditional law firms in a truly flexible workplace. We offer career opportunities for solicitors and business support professionals that meet your needs and evolve as you evolve.
Find out more
Meet Our Team
Meet the people of Harper James.
Find out more
Press & Media
Our solicitors are well-positioned to provide commentary on all manner of commercial legal issue and regularly contribute to both national, sector and industry press.
Find out more
What Our Clients Say
A selection of our client testimonials.
Find out more
Join our team
Work with like-minded individuals and free from the bureaucracy of traditional law firms in a truly flexible workplace. We offer career opportunities for solicitors and business support professionals that meet your needs and evolve as you evolve.
See Our Open Positions 
News & Insights
The latest news and insights from Harper James including our 'Meet the client' interview series, case studies, legal updates, thoughts & opinions, podcasts, videos and spotlights on our solicitors.
Find out more
Case Studies
In-depth stories of how our clients' businesses have evolved and how we have supported them.
Find out more
Company News
The latest Harper James news.
Find out more
Client News
Examples of some of the exciting work and waves our clients are making as well as in-depth client interviews and stories.
Find out more
Thoughts and Opinions
Our views and perspectives on some of the latest developments.
Find out more
Podcasts and Videos
Watch and listen to our latest podcasts and videos featuring client and Harper James interviews and stories.
Find out more
Knowledge Hub for Growth
Our free resource designed to help your business overcome challenges and realise its potential. Written by lawyers and business experts, these resources will help you decipher legal terminology and tackle key milestones from securing funding and growing your team, to protecting your ideas and expanding to new markets.
Find out more
Subscribe to Our Newsletter
Receive the latest legal insights, practical guides, client stories and other news.
Subscribe Now 
Contact Us
Please leave us your details and we’ll contact you to discuss your situation and legal requirements. There’s no charge for your consultation, and no obligation to instruct us. We aim to respond to all messages received within 24 hours.
Get in Touch
Make An Enquiry
Get in Touch
Request A Call Back
Get in Touch
Offices
Get in Touch
Offices
We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.
Overview 
Knowledge Hub
Data Protection
All Knowledge HubBusiness DisputesBusiness GrowthBusiness ImmigrationBusiness PlanningCommercial LawCommercial PropertyCorporate LawCOVID-19Data ProtectionEmployment LawFinance & Investment LawInsolvency & Corporate RecoveryIntellectual PropertyInternational Trade and Brexit
Supplier data protection breach

Knowledge Hub
for Growth

What if my supplier has a data protection breach? Am I liable?

Article
Article
7 mins read
Updated on 23 November 2021

In September 2020 SaaS provider Shopify admitted that two rogue members of their support team had stolencustomer personal data from around 100 merchants. The personal data consisted of, names, postal addresses and other information. Shopify investigated the incident and were able to conclude that none of the data was used and that the financial data was unaffected. But imagine if it was used, consider the impact?

Here we review the obligations of data processors and controllers, and discuss your company’s responsibilities and those of your supplier.

What’s a personal data breach?

Under GDPR a personal data breach is described as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.’

A personal data breach is probably the worst thing that could happen to a supplier (processor) as well as a controller. A processor has many responsibilities towards their controller client, and one of them is to ensure that there are technical and organisational measures in place to process the personal data and inform the controller without undue delay of any personal data breach.

Whilst a processor would do their best to look after the personal data that they process on behalf of the controller, we all know that data can never be 100% secure, especially in the virtual world. It is known that cyber identify fraud is the fastest growing risk from which hackers use to gain access to our personal data.

What are the consequences of a GDPR breach?

A personal data breach by a processor can have many consequences. A data processor has a lot of responsibilities and duties towards controllers and one of them is to ensure personal data is kept secure and safe.

There are many consequences for businesses when a personal data breach occurs, however, we list what we believe as our top 3:

  1. Fines - People have an expectation that their personal data will be secure when it is processed. There are severe penalties for not processing personal data either for the reason it was collected or allowing the data to be lost, accessed or destroyed. Supervisory authorities have the power to issue fines of up to 20 million euros or 4% of the breached organisations’ annual global turnover, whichever is higher. The fines are not limited to financial penalties, the supervisory authorities also have the power to take enforcement action.
  2. Reputational Damage – this can be, at times, worse than a fine. A company can get over a fine and probably still sustain profitability (or just about), however, if word gets out that there have been failures in your technical or organisational systems, or even rogue employees such as the case in Shopify, then this can cause major reputational damage. It can be said to be a dominoes effect, such as where there has been one breach with a controller or processor client, the rest are likely to withdraw their business, after all good news travels fast, but bad news travels even faster.
  3. Revenue loss – Studies show that 29% of businesses that face a data breach end up losing revenue, some of which end up experiencing such a loss that they are unable to sustain the situation.

Working out who is the data controller under your supplier relationship

The party that determines what personal data is to be processed would be the controller, and the party that follows the instructions of the controller is the service provider, better known as the processor. The ICO provides a simple example to illustrate this point:

‘A private company provides software to process the daily pupil attendance records of a state-maintained school. Using the software, the company gives attendance reports to the school. The company’s sole purpose in processing the attendance data is to provide this service to the school. The school sets the purpose – to assess attendance. The company has no need to retain the data after it has produced the report. It does not determine the purposes of the processing; it merely provides the processing service. This company is likely to be a processor.‘

The school would be the controller as they are determining what personal data to process. Whereas the company is acting on the controllers instructions and carries out the said processing activities.

Whilst a party can be both controller and processor for different purposes, they cannot be both roles for the same processing activity. It may be the case that the processor wishes to engage another sub-processor to assist with the processing activity for which they have been instructed. Any processors would be regarded as sub-processors and the same obligations would follow down the chain. So, in the above example, if the company engaged another sub-processor to do some of the processing activities, they will always be processors.

Your GDPR obligations would also depend on whether you are a controller or processor. Essentially a controller would have more obligations and exercise ultimate control, whereas the processor would have less obligations and would be restricted as to what they would do with the personal data.

Data Processing Terms

The services that a processor would provide would be limited to the controller’s instructions. The processor would not exercise any control over the purpose for which the personal data is processed. Article 28(3) GDPR requires a contract to stipulate the nature and purpose of the processing. This would be the reason why the controller wishes to instruct the processor. The clauses would apply to the delivery of the services specified in the body of any substantive agreement. 

Should there be any ambiguity in role determination, the data processing agreement would be the first place to look. The contract would include precedent clauses which would include, but are not limited to:

  • The processor must only act on the controller’s documented instructions,
  • The processor must take technical and organisational measures to ensure the security of processing.
  • The processor must only engage a sub-processor with the controller’s prior authorisation and under a written contract.
  • The processor must take appropriate measures to help the controller respond to requests from individuals to exercise their rights.
  • The processor must assist the controller in meeting its UK GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments.
  • The processor must delete or return all personal data to the controller upon termination of the contract.
  • The processor must submit to audits and inspections.

Controller obligations in case of supplier breach

If there is a breach, the supplier would have to notify immediately up the chain, in accordance with their contractual obligations. The supplier contracted with the controller would notify the controller immediately of any personal data breach in accordance with Article 33 GDPR. So, despite the original supplier using sub-processors, that original supplier would be directly liable to the controller for the sub-processor's obligations. The requirements on reporting a personal data breach should be contained within the data processing agreement.

Notifying the ICO

A controller has a duty to notify the ICO of a 'serious personal data breach' without undue delay and within 72 hours of becoming aware. The processor will provide as much information as possible to the controller in order for the controller to make a determination where the breach is reportable to the ICO.

Notifying the customers

The controller would also determine whether the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms. If their rights and freedoms are affected, then the controller must also inform those individuals without undue delay.

Paying compensation

GDPR gives individuals a right to claim compensation against a controller if they have suffered damage due to a personal data breach. This includes both ‘material and non-material damage’. The ICO does not have the power to award compensation so an individual would need to make an application to the court. An individual can also bring a claim directly against a processor in court. A processor can be held liable under Article 82 to pay compensation for any damage caused by processing, including non-material damage such as distress. A processor will only be liable for the damage if:

  • it has failed to comply with UK GDPR provisions specifically relating to processors; or
  • it has acted without the controller’s lawful instructions, or against those instructions.

A processor will not be liable if it can prove it is not responsible for the cause giving rise to the damage.

The landmark judgment in Lloyd v Google LLC [2021] is the leading authority on damages for breaches of data protection laws (despite the lawsuit being bought under the Data Protection Act 1998, it will apply equally to the Data Protection Act 2018). The decision would mean it’s highly unlikely for private claims for damages to be bought in the masses against controllers.

How to minimise third-party data risk

Data processing agreements are carefully drafted documents and it's important to get them right. The case of Schrems II states transfer impact assessments need conducting prior to any transfer of personal data cross border to non-adequate countries. It’s not always the case that processors are based in the EEA or the UK, many service providers are based across the globe, such as in the US. It is necessary to ensure you have adequate safeguards in place to be able to transfer personal data to your processor cross border.

Our specialist data protection solicitors can assist in evaluating the actual risk against the nature and purpose of processing and provide specific advice in how to deal with any risk.

We can help in negotiating limitation on liability clauses and advise on any liability caps. This can in turn assist in you buying the right level of insurance in line and proportionate to your business and processing activities. Data breach insurance can offer businesses protection against liabilities arising from data breaches, we can help you decide what level of insurance would be appropriate having considered your business model.

What next?

Please leave us your details and we’ll contact you to discuss your situation and legal requirements. There’s no charge for your initial consultation, and no obligation to instruct us. We aim to respond to all messages received within 24 hours.

  • This field is for validation purposes and should be left unchanged.

Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.

Explore related resources

View All 
Updated 1 month ago
Data Protection
Data Protection
GDPR Training Requirements 
Article
Article
6 mins read
Updated 1 month ago
Data Protection
Data Protection
Transfer Impact Assessments (TIAs) 
Article
Article
7 mins read
Updated 3 months ago
Data Protection
Data Protection
Transferring data from the UK: IDTA and UK addendum explained 
Article
Article
5 mins read
Updated 3 months ago
Data Protection
Data Protection
Legal consequences of a cyber attack 
Article
Article
9 mins read
Updated 5 months ago
Data Protection
Data Protection
What is a Privacy Policy? 
Article
Article
6 mins read
Business Disputes
Business Growth
Business Immigration
Business Planning
Commercial Law
Commercial Property
Corporate Law
COVID-19
Data Protection
Employment Law
Finance & Investment Law
Insolvency & Corporate Recovery
Intellectual Property
International Trade and Brexit
Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Birmingham 
Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Cambridge 
Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
Manchester 
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
London 
10 Fitzroy Square, London, W1T 5HP
Oxford 
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
Sheffield 
2-5 Velocity Tower, 1 St Mary’s Square, Sheffield, S1 4LP
A national law firm

Like what you’re reading?

Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.

Subscribe

Search
View search results
View search results 

How can we help?

To access legal support from just £125 per hour arrange your free no-obligation initial consultation to discuss your business requirements.

0800 689 1700

Make an enquiry

0800 689 1700
X