A number of newly appointed DPOs are concerned about their potential vulnerability to being sued, including potential personal liability. Some of these simple steps can alleviate or even eliminate these liability concerns:
As defined by GDPR, a Data Protection Officer is an enterprise security leadership role involved in all issues related to protecting personal data within an organization. This person is expected to have expert knowledge of data protection laws and practices and must report directly to the highest level of management.
This is a new or expanded set of responsibilities in many organizations, and the role may be filled either internally or via a consulting contract with an outside party (i.e. external counsel).
Organizations are required to ensure that a DPO is not instructed in any way as to how to complete their tasks. This is for two reasons: to ensure independence from the normal business operations, and that the DPOs are not dismissed or penalized for performing their tasks.
Data Protection Officers have five main tasks under GDPR:
This is a robust list of responsibilities, making the DPO a consequential position. Further, GDPR doesn’t prohibit DPOs from having other responsibilities (so long as those responsibilities do not conflict with the enumerated required duties).
There is no organization size threshold for the appointment of a DPO under GDPR. DPOs are required for:
Good news for your company’s newly appointed-DPO: on an individual level, in the normal course of events, GDPR does not result in personal liability to them in the event of non-compliance. Organizations themselves bear the responsibility to ensure their compliance and it is the organization that must be able to demonstrate compliance with GDPR.
Having said that, one area for DPOs to watch is anything that could later be characterized as criminal. As with most crimes, a DPO acting with criminal intent will face personal liability for those actions. This is, of course, always true. GDPR itself carries only civil penalties for non-compliance.
In an extreme case, there is theoretical potential that an organization may seek recovery from a DPO for penalties incurred as a result of following the DPO’s advice. However, this seems unlikely. Companies typically fire those who gave them bad advice, rather than sue them.
Companies who hire an external DPO are contracting for a professional service. In these cases, the companies will want to include language in their contracts that require the professional services organization to purchase errors and omissions (E&O) insurance, which will respond in the case of negligence on the part of the external DPO in their prescribed duties.
Both Cyber insurance and D&O insurance may respond to a claim involving a DPO. Both policies may need to be updated in the following ways to reflect the new DPO role in the organization.
Cyber insurance typically covers an organization for its liabilities arising out of data protection regulation, which can include GDPR. Since the liability for non-compliance still falls on the organization, Cyber insurance policies should respond to GDPR claims. These are customized forms, however, so it is important to verify this with your insurance broker.
As we’ve discussed in an earlier blog post, the Woodruff Sawyer Cyber Insurance team recommends focusing particularly on the following key coverage considerations with respect to GDPR liability.
As discussed above, cyber liability insurance can be fairly characterized as providing a comprehensive response to GDPR-driven claims, including theoretical ones brought against a DPO. Officers of a company may also naturally wonder to what extent D&O insurance might respond.
If your DPO is, in fact, an officer of a company, it’s reasonable to assume that your D&O policy would respond if the DPO were named in a suit. If your DPO is not an “officer” of the company as defined by your corporate bylaws, there is still an argument that the D&O policy (which usually doesn’t define the term “officer”) would respond on the DPO’s behalf. Additionally, you have the option of adding your DPO to your D&O policy as a named insured.
Regardless of the manner in which a DPO becomes an insured under a D&O policy, you will have to watch out for the “privacy claims” exclusion that carriers are typically unwilling to amend. In other words, it’s not clear that adding a DPO as named insured under a D&O policy actually results in additional coverage.
Also, adding a named insured to a D&O policy has its own issues. The issue of thinking carefully about exclusions was highlighted above. As a reminder, adding a named insured to a company’s D&O policy theoretically dilutes the limits for the actual directors and officers for whom the policy was purchased. The directors and officers may not mind, and ideally, you’d want to verify this before adding a named insured to the policy.
Private company D&O policies have an additional issue, namely that these policies have an “insured versus insured” exclusion. Having this exclusion in a D&O policy means that if an insured party—including a named insured party such as the DPO—participates or cooperates in a suit brought against the company, its directors, and/or its officers, the policy will not respond.
If GDPR exposure leads to a securities claim (which is defined to include breach of fiduciary duty suits), all employees have coverage under a public company D&O policy—subject to the normal self-insured retention, so no further work needs to be done in this regard.
Finally, some Side A DIC carriers extend coverage to employees on a broad basis. These policies might respond on behalf of a DPO in circumstances when a company cannot indemnify the DPO. On the other hand, many Side A DIC policies explicitly limit their coverage to directors and officers specifically to avoid diluting coverage that is intended to respond in catastrophic situations.
The best path is the one that takes you down the road of helping your DPO be as successful as possible. Providing an appropriate budget and suitable resources, including access to things like continuing education conferences and peer networking opportunities, will be helpful in this regard.
Finally, particularly if your DPO is both especially talented and concerned about personal exposure, consider providing a personal indemnification agreement to the DPO. For clarity, you would probably not provide your DPO the same, extremely robust form of indemnification agreement you provide your C-suite officers and your independent directors. Nevertheless, even a lean form of an indemnification agreement that specifies the circumstances in which legal fees will be advanced and indemnification will be provided can be comforting, particularly given that GDPR and the role of DPOs is still uncharted territory.
All views expressed in this article are the author’s own and do not necessarily represent the position of Woodruff-Sawyer & Co.
About the Author:
Dan Burke has more than 12 years of experience in cyber insurance. In his current role at Woodruff Sawyer, he builds cyber insurance solutions, product enhancements, and client-facing propositions to help expand the company’s cyber liability options, while also helping clients understand how cyber risk has become an operational risk.
Dan is an expert in the field of cyber liability who excels at public speaking and thought leadership. He frequently speaks at industry conferences and has been quoted in various trade magazines and newsletters, including The Wall Street Journal. Before joining the firm in 2018, Dan served as Vice President of Cyber at Hiscox, Inc. where he managed a book of business in six offices throughout the United States. He earned his Bachelor’s degree from the University of Wisconsin-Madison.