Hi, I’m negotiating a DPA with a data processor, and I’m not sure how much I can push in terms of liability.
Should I expect a data processor to accept liability (uncapped) for fines or damages we get that result from them violating the DPA or the law? Or can I trust that they will be the party fined if it is indeed their fault?
Thankful for input
It is very doubtful that even if you could get a processor to take on unlimited liability that it would stand up as a fair contract.
The norm is to split the liability, with one part attached to the performance of the contract and one to an action/actions that result in a breach which would materially affect your business.
Always remember that as the Controller, your due diligence will be held to account first, unless it is absolutely clear cut that any breach of the regulations was caused by your processor’s negligence or ‘bad action’.
Negotiate as much as you can but you can’t simply pass liability. Exercise and document your due diligence and regularly audit. In reality you would need to bring a case against the processor for damages not the ICO.
The good news is that almost 100% of the fines have been for PECR violations and not data breach.
The ICO are looking to punish those who flagrantly disregard good practice, not those who fall victim to sophisticated bad actors.
We were discussing this earlier today in relation to a relatively low value contract. We reached a similar conclusion to that given by Yorkie82. An organisation with data controller responsibilities cannot expect a supplier/processor to be liable for a lack of due diligence or under baked service specifications. However, processors must be aware or and accept their responsibilities.
As controller, you are first and foremost accountable for any breach by your processors. This would mean the breach investigation, remediation and any notification obligations. Any fines would be apportioned between yourselves and the processor involved according to the extent of the responsibility. If you have done your homework correctly as suggested elsewhere, you stand to minimise these fines, but I would not go to far as to say that you are ‘insulated’.
Liability on the other hand is a commercial consideration. The liability you specify in the contract is generally to cover you for your costs incurred as a direct result of any event caused by the processor. These would include costs of remediation (e.g. writing to customers, paying for credit monitoring services etc.). As to the amount, I would very much doubt any company would accept unlimited. Many limit to the damages to the value of the fees paid under the contract, but in the end, it’s just a negotiation. Good luck.
Passing on liability for intent or gross negligence should be a no-brainer.
But also if you have done your due diligence on the processor, obtained the required cyber safety guarantees in place and their commitment to the process in line with data protection legislation and audit the compliance on a regular basis, you can insulate yourself from potential fines if they caused a breach or another violation.