Obligations on SMEs and UAs
Exposures for SMEs/UAs
Conclusion
It is well publicised that there has been an upward trend of data protection and privacy claims in recent years. This is due in part to an increase in both regulation and consumer awareness in how businesses should handle and process data. The additional requirements of the General Data Protection Regulation ("GDPR") which came into force on 25 May 2018 and the Data Protection Bill (to be enacted imminently) will only increase the risk of claims.
We have seen a particular increase in claims against small and medium-sized enterprises ("SMEs") and unincorporated associations ("UAs"). This is reflected by a recent study that suggests that 61% of data breaches affect organisations with fewer than 1,000 employees. Often these claims are covered under the entity section of D&O policies (which is increasingly provided as standard for SMEs), but claims can also result in liability for directors and/or trustees.
To understand why SMEs and UAs are increasingly affected by data protection related claims, it is important understand what their obligations are.
The Information Commissioner's Office ("ICO") provides guidance on businesses' obligations in relation to data. In summary, businesses must only collect information that is needed for a specific purpose; keep it secure; ensure it is relevant and up to date; only hold as much information as they need (and only for as long as they need it); and allow the subject of the information to see it on request. The GDPR, amongst other things, specifies what individuals now have a right to be informed about when businesses collect and use their personal data.
Claims for misuse of information and breach of confidence are often made in conjunction with claims under data protection legislation. Here a claimant needs to show that information disclosed to a third party without consent is private or confidential in nature. Claimants do not need to show actual financial loss and are able to claim damages for the breach and for any distress and anxiety caused.
SMEs or UAs, by their very nature, often do not benefit from a large corporate structure that has dedicated teams or data protection policies and procedures. Whilst large corporates may have robust policies in place and will be aware of their obligations, SMEs'/UAs' awareness of data protection duties can sometimes be limited. Some businesses may not even be aware that they are data controllers, or be aware of their requirements to register with the Information Commissioner's Office.
Notwithstanding this, SMEs and UAs can hold a substantial amount of personal data and/or sensitive personal data. As data and privacy claims are normally made against the company, D&O policies can be triggered under the entity section of the policy.
Directors of SMEs can also face exposure in relation to these claims. Directors will be expected to be aware of the need to ensure the company complies with its data obligations. Any failure by directors to ensure a business has adequate procedures in place and that it has complied with relevant regulations could result in a claim by the company or shareholders against the directors.
As UAs have no legal personality, trustees are personally liable for the actions of the UA. Trustees can therefore face claims from third parties that allege the UA processed their data in a manner that is not consistent with legislation or privacy laws. Typically, claims are made against all trustees of a UA.
Although data controllers are usually organisations, if an individual (for example a director or trustee) is registered as data controllers within an SME or unincorporated associations, they can be personally liable for any breach.
It is also a criminal offence to knowingly or recklessly obtain, disclose or procure the disclosure of personal information without the consent of the data controller. The legal costs incurred in criminal prosecutions against individuals in this scenario may fall to be covered by some D&O policies.
Increased regulation, along with the public becoming more educated on data issues, has resulted in increased exposures to businesses and their directors. This includes SMEs and UAs, who are less likely to have robust data policies in place.
Data breach claims will often be covered under the entity section of D&O policies but there is also a risk of directors and trustees facing claims. Directors will need to ensure that they discharge their obligations to the company to ensure that adequate procedures are in place while trustees will be personally liable for the actions of the UA.
The financial consequences of a breach can be significant, and notification / remedying of breaches is both expensive and time-consuming. Aside from the financial ramifications, the risk of professional and reputational damage should not be underestimated, with data protection breaches increasingly at the forefront of the public and media conscience.
As duties on how businesses process data become more onerous, it is vital that SMEs and UAs are aware of their obligations and have adequate procedures in place. Insurers should insist that prospective insureds have robust policies and procedures to ensure that data is dealt with correctly and that the entity is registered with the ICO if appropriate.
For further information on this topic please contact Graham Briggs at DAC Beachcroft by telephone (+44 113 251 4700) or email ([email protected]). The DAC Beachcroft website can be accessed at www.dacbeachcroft.com.
This update has been reproduced in its original format from Lexology – www.Lexology.com.
