With the EU’s implementation of the General Data Protection Regulation (GDPR) in May of 2018 came a new requirement that affects many organizations beyond updating their website and privacy policy: the appointment of a Data Protection Officer (DPO).
A number of newly appointed DPOs are concerned about their potential vulnerability to being sued, including potential personal liability. Some of these simple steps can alleviate or even eliminate these liability concerns:
What is a DPO and What Are Their Responsibilities?
As defined by GDPR, a Data Protection Officer is an enterprise security leadership role involved in all issues related to protecting personal data within an organization. This person is expected to have expert knowledge of data protection laws and practices and must report directly to the highest level of management.
This is a new or expanded set of responsibilities in many organizations, and the role may be filled either internally or via a consulting contract with an outside party (i.e. external counsel).
Organizations are required to ensure that a DPO is not instructed in any way as to how to complete their tasks. This is for two reasons: to ensure independence from the normal business operations, and that the DPOs are not dismissed or penalized for performing their tasks.
Data Protection Officers have five main tasks under GDPR:
- To inform their companies of obligations pursuant to GDPR and other data protection laws
- To monitor compliance with GDPR and other data protection laws
- To provide advice on the data protection impact assessments required under GDPR, when requested
- To cooperate with supervisory authority regulators, including acting as their contact point on issues related to the processing of personal data
- To respond to individuals whose data is processed (e.g. employees, customers, etc.) on issues arising from the processing of their data or rights under GDPR
This is a robust list of responsibilities, making the DPO a consequential position. Further, GDPR doesn’t prohibit DPOs from having other responsibilities (so long as those responsibilities do not conflict with the enumerated required duties).
Which Companies Need to Appoint DPOs?
There is no organization size threshold for the appointment of a DPO under GDPR. DPOs are required for:
- Any public authority or body, such as institutions of higher education or transit authority, except for courts acting in their judicial capacity
- Any company for which core activities involve monitoring large amounts of personal data on a regular or systematic basis
- Any company for which core activities involve processing a large amount of special categories of data or data on criminal convictions and offenses. Special categories of data include:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Bio-metric data
- Health-related data
- Sexual orientation or data concerning a person’s sex life
What Liability Does a DPO Face?
Good news for your company’s newly appointed-DPO: on an individual level, in the normal course of events, GDPR does not result in personal liability to them in the event of non-compliance. Organizations themselves bear the responsibility to ensure their compliance and it is the organization that must be able to demonstrate compliance with GDPR.
Having said that, one area for DPOs to watch is anything that could later be characterized as criminal. As with most crimes, a DPO acting with criminal intent will face personal liability for those actions. This is, of course, always true. GDPR itself carries only civil penalties for non-compliance.
In an extreme case, there is theoretical potential that an organization may seek recovery from a DPO for penalties incurred as a result of following the DPO’s advice. However, this seems unlikely. Companies typically fire those who gave them bad advice, rather than sue them.
What if Your DPO is an External DPO and Not Your Own Employee?
Companies who hire an external DPO are contracting for a professional service. In these cases, the companies will want to include language in their contracts that require the professional services organization to purchase errors and omissions (E&O) insurance, which will respond in the case of negligence on the part of the external DPO in their prescribed duties.
How Does Insurance Coverage Apply?
Both Cyber insurance and D&O insurance may respond to a claim involving a DPO. Both policies may need to be updated in the following ways to reflect the new DPO role in the organization.
Cyber Insurance
Cyber insurance typically covers an organization for its liabilities arising out of data protection regulation, which can include GDPR. Since the liability for non-compliance still falls on the organization, Cyber insurance policies should respond to GDPR claims. These are customized forms, however, so it is important to verify this with your insurance broker.
As we’ve discussed in an earlier blog post, the Woodruff Sawyer Cyber Insurance team recommends focusing particularly on the following key coverage considerations with respect to GDPR liability.
- Who is a privacy regulator? Many cyber policies include “international” or “foreign” entities in the list of potential privacy regulatory bodies. Often, cyber insurers will specifically add European Data Protection Authorities (DPAs) by endorsement to make the policy sound GDPR-savvy, but in most policies, this is not a material change.
- Privacy breach versus privacy violations: One important nuance is that the definition of “privacy law” in cyber policies is generally limited to laws regulating privacy breaches. GDPR will impose rules around a much broader set of privacy issues, including how data is stored, managed, and accessed. Insurers are now willing to expand coverage to include claims related to these exposures. This extension is often referred to as “wrongful collection” coverage, but should also include allegations of improper storage and handling of data.
- Scope of regulatory coverage: Similarly, we’ve seen a few policies where the trigger for regulatory fines and penalties was narrower than the general privacy liability coverage and specifically limited to fines related to privacy breaches. The policy should clearly address privacy violations related to all aspects of the handling of data. Note that cyber policies will likely NOT cover some GDPR violations, such as failing to hire a Data Protection Officer (a requirement for companies that conduct “large-scale processing” of personal data).
- Most favorable venue wording for fines and penalties: Commonly found in D&O and EPL policies where coverage for punitive damages is available, a “most favorable venue” provision reinforces the insurer’s intent to pay a fine whenever possible. Such provisions usually state that the insurer will take into consideration all reasonable venues to determine the insurability of a fine or penalty, such as where the company is located, headquartered, or incorporated, or where the claim or event occurred. Cyber policies do not consistently include this language, but insurers are increasingly willing to add by endorsement.
D&O Insurance
As discussed above, cyber liability insurance can be fairly characterized as providing a comprehensive response to GDPR-driven claims, including theoretical ones brought against a DPO. Officers of a company may also naturally wonder to what extent D&O insurance might respond.
If your DPO is, in fact, an officer of a company, it’s reasonable to assume that your D&O policy would respond if the DPO were named in a suit. If your DPO is not an “officer” of the company as defined by your corporate bylaws, there is still an argument that the D&O policy (which usually doesn’t define the term “officer”) would respond on the DPO’s behalf. Additionally, you have the option of adding your DPO to your D&O policy as a named insured.
Regardless of the manner in which a DPO becomes an insured under a D&O policy, you will have to watch out for the “privacy claims” exclusion that carriers are typically unwilling to amend. In other words, it’s not clear that adding a DPO as named insured under a D&O policy actually results in additional coverage.
Also, adding a named insured to a D&O policy has its own issues. The issue of thinking carefully about exclusions was highlighted above. As a reminder, adding a named insured to a company’s D&O policy theoretically dilutes the limits for the actual directors and officers for whom the policy was purchased. The directors and officers may not mind, and ideally, you’d want to verify this before adding a named insured to the policy.
Private company D&O policies have an additional issue, namely that these policies have an “insured versus insured” exclusion. Having this exclusion in a D&O policy means that if an insured party—including a named insured party such as the DPO—participates or cooperates in a suit brought against the company, its directors, and/or its officers, the policy will not respond.
If GDPR exposure leads to a securities claim (which is defined to include breach of fiduciary duty suits), all employees have coverage under a public company D&O policy—subject to the normal self-insured retention, so no further work needs to be done in this regard.
Finally, some Side A DIC carriers extend coverage to employees on a broad basis. These policies might respond on behalf of a DPO in circumstances when a company cannot indemnify the DPO. On the other hand, many Side A DIC policies explicitly limit their coverage to directors and officers specifically to avoid diluting coverage that is intended to respond in catastrophic situations.
How Else Can You Support Your DPO?
The best path is the one that takes you down the road of helping your DPO be as successful as possible. Providing an appropriate budget and suitable resources, including access to things like continuing education conferences and peer networking opportunities, will be helpful in this regard.
Finally, particularly if your DPO is both especially talented and concerned about personal exposure, consider providing a personal indemnification agreement to the DPO. For clarity, you would probably not provide your DPO the same, extremely robust form of indemnification agreement you provide your C-suite officers and your independent directors. Nevertheless, even a lean form of an indemnification agreement that specifies the circumstances in which legal fees will be advanced and indemnification will be provided can be comforting, particularly given that GDPR and the role of DPOs is still uncharted territory.
All views expressed in this article are the author’s own and do not necessarily represent the position of Woodruff-Sawyer & Co.
About the Author:
Dan Burke has more than 12 years of experience in cyber insurance. In his current role at Woodruff Sawyer, he builds cyber insurance solutions, product enhancements, and client-facing propositions to help expand the company’s cyber liability options, while also helping clients understand how cyber risk has become an operational risk.
Dan is an expert in the field of cyber liability who excels at public speaking and thought leadership. He frequently speaks at industry conferences and has been quoted in various trade magazines and newsletters, including The Wall Street Journal. Before joining the firm in 2018, Dan served as Vice President of Cyber at Hiscox, Inc. where he managed a book of business in six offices throughout the United States. He earned his Bachelor’s degree from the University of Wisconsin-Madison.