Around six months have passed since the General Data Protection Regulation (GDPR) took effect. Among many unclear implication of GDPR, the vaguest might be how to ensure compliance with the security requirements, including data protection by design and by default. It has been a tough task for cybersecurity professionals to understand how to interpret the GDPR requirements and probably will be a continuous struggle over the next several years.
However, the interpretation of these GDPR provisions should not be the only aspect to command our attention. The increased penalties (up to 20 million Euros or 4 percent of the total annual turnover) made many companies think not only about how to ensure compliance, but also about what happens if the required measures are not implemented. Thus, the question for many companies is who will be liable for compliance failures regarding GDPR security rules: the company or employees responsible for ensuring personal data security?
GDPR says nothing about the liability of employees for violating the provisions of GDPR. Moreover, GDPR sets forth that these are controllers and processors that shall be responsible and liable for ensuring compliance with its requirements. Thus, if Company A is the controller of its clients’ personal data and Company A does not use adequate security solutions, which leads to an unauthorized access to the data, Company A as controller shall be subject to the penalties set forth by GDPR. No GDPR fine will be directly applicable to cybersecurity manager who is designated as responsible for ensuring the security of personal data at Company A. The exception would be the case where a cybersecurity manager (or any employee) leaves Company A, copies the clients’ personal data, and then publishes it. In this case, an individual (former employee) becomes a separate controller, and is personally responsible for any GDPR violations.
However, what happens if Company A has internal binding security procedures that should be followed by employees? For example, what if an employee does not follow them, copies the data to a USB flash drive without encrypting it, and providing any other additional safeguards to work at home, the drive is stolen, and the data is disclosed? Shall Company A still be the only one paying for the disclosure? Or shall the employee (as the one who caused the violation) or the cybersecurity manager (as one responsible for security) also be liable? There is no single answer and many aspects depend on the laws, regulations and case-law in each country especially regarding liability of employees. Moreover, the scope of responsibility might be a concern for companies that have offices all around the globe, which entails different application of laws regarding the liability of employees.
Taking into consideration the aforementioned context, it is recommended that companies and their cybersecurity managers responsible for personal data security make their relationship as transparent as possible for both parties. This can be done in the following way:
1. Define the scope of responsibility. Cybersecurity managers should have a clear understanding of their specific role regarding the GDPR implementation, the systems and departments that are covered, and their access rights.
2. Define the territory. It is necessary to understand the territorial scope of the GDPR compliance that a specific person is responsible for. Is it the place where the manager is physically located or is it broader? This question should be answered especially in cases of international group companies where one person can be in charge of several organizations.
3. Define the applicable laws. It should be clear for both parties which laws are applicable to their relationship. Is it only GDPR implementing laws or are these also any privacy and security-related binding acts? What are the rules for holding companies and employees liable?
4. Agree on communication. If the scope of the responsibility overlaps with other managers or employees, it is crucial to agree on how you work together and how common tasks are distributed.
5. Prove it. All of the agreements reached on the scope of responsibility, distribution of tasks and liability should be provable. If it is possible and reasonable to put them on paper, it should be done. Other options (such as communicating the main terms over email) are also relevant if the company and cybersecurity manager will be able to prove, if a conflict takes place that a certain order was accepted by all stakeholders.
It might seem that it is sometimes more beneficial to avoid agreeing on specific things and engaging in unpleasant talk about what happens in case of an incompliance penalty. However, a clear framework addressing the scope of responsibility and liability can be considered a personal incident response plan for cybersecurity managers that will help them to perform their work in transparent and clear conditions.