GDPR: potential fines for data security breaches more severe for data controllers than processors, says expert
Have I mentioned recently how much I appreciate columns or posts by lawyers that help educate us non-lawyers? A post in Out-Law.com points out something that is significant for those involved in IT security or advising clients:
One of the many changes that the new Regulation will deliver when it comes into force on 25 May 2018 is a new statutory obligation on data security that data processors must observe above and beyond contractual duties agreed with data controller customers.
Under current EU data protection rules service providers that process personal data on behalf of other businesses cannot be held directly liable to individuals for a breach of data security. If data processors are at fault for data breaches then it is the data controller who contracted with them who is on the hook for any non-compliance with data protection laws, although the data processor could be liable to the data controller under their contract.
The Regulation addresses this anomaly but makes a distinction between the maximum fine data protection authorities will be able to levy against data controllers compared to data processors for failings on data security.
Read more on Out-Law.com.