Data Protection and Liability

The following statement is taken from the UK Government’s website (Gov.uk) under the heading ‘Running a limited company’

“You may be personally liable for your company’s business liabilities and be fined, prosecuted or disqualified as a company director if you don’t follow the rules. Contact your professional adviser or trade association to find out more.”

Whilst this information related to limited liability companies, all businesses and their owners and management, whatever their legal status, are faced with the risk of liability – corporate and/or personal.

What is also clear is that the legal and regulatory framework is complex, wide reaching and constantly changing.

By way of illustration, last October, the UK Information Commissioner agreed with the suggestion by a Member of Parliament that the directors of companies who broke the laws on data protection should bear personal liability for the fines imposed.

In this way, the Information Commissioner’s Office would be able to claw back a far higher proportion of the £4 million imposed in fines than has so far been the case. The main cause of the non-payment of fines imposed is, the Commissioner said, the fact that many companies who are fined by the Information Commissioner’s Office fall into liquidation very soon afterwards.

The Commissioner also made several recommendations on the way that the Information Commissioner’s Office operates:

• The ICO’s Direct Marketing Code should be put on a statutory footing;

• The threshold for harm to an individual where a data security breach is considered to have occurred should be lowered

• Transparency surrounding the collection of personal data and safeguards that are in place should be increased.

Currently, the ICO has the power to impose monetary penalties of up to £500,000 for serious data breaches.

However, under the General Data Protection Regulations, due to come into force in May 2018, fines up to a total of £20m or 4% of global turnover (whichever is higher) become a possibility.

The current position on data breaches is that businesses must notify the ICO “without undue delay” and, where such action is feasible, within 72 hours of becoming aware of the breach.

If this timeframe is not met, the business needs to give the ICO a “reasoned justification” of why this has not happened.

In certain situations, affected data subjects must be notified without “undue delay”.

Notification does not need to be made to the Information Commissioner’s Office unless the breach is likely to cause a risk to individuals’ rights and freedoms.

It will be necessary for businesses who handle data (which means virtually every business) to put into place internal procedures for dealing with data breaches.

Compensation claims can be made and this will include compensation where there has been non-material damage.

The area of data protection is just one small area of which all businesses need to be aware and the fact is that these obligations mean there is a potential liability.

For this reason, all businesses should consider Management Liability insurance.

Policyholders of an AXA Insurance Management Liability Policy (MLP) have access to the Advice Resource Centre (ARC) operated by rradar, providing unlimited advice and guidance on any legal or regulatory matter affecting a business.