The data protection officer role is a new feature for many organizations now subject to the EU General Data Protection Regulation, which specifies the criteria for designating a DPO, describes the position, and enumerates its responsibilities. Critically, for many companies, designating a DPO is not optional. In any case, the Article 29 Working Party’s guidance makes it clear that, once chosen, both mandatorily and voluntarily designated DPOs have the same responsibilities. The Working Party (now the European Data Protection Board) further suggests that it may be in the interest of companies not legally required to designate a DPO to do so anyway, whether “internal” or “external.” Either is expressly allowed by the GDPR. Internal DPOs are employees of the organizations they advise; external DPOs are retained via service contract and may be self-employed or employees of another company (e.g., a law firm).

First and foremost, data protection officers — whether inside or outside of the organization — counsel about legal and regulatory compliance and are therefore on the front lines of enterprise risk. Infringement of the GDPR and national data protection regimes can carry significant financial penalties. Everyone knows the 4 percent of global turnover or 20 million euros figures.

Could DPOs conceivably be exposed to staggering personal liability for data protection violations by their employers or clients? What are the risks of liability for both internal and external DPOs and what options might be available to them to mitigate or insure against that risk?

Internal DPO liability

One of the most-highlighted aspects of the GDPR is its potential for serious fines. Companies facing millions or even billions in possible penalties are incentivized to seek indemnity from whomever possible to reduce the sting — especially given the uncertainty over whether those fines are insurable. If a data protection authority fines or sanctions a company resulting in monetary damages and the company can trace that fine to actions taken on its DPO’s advice, the company may seek to recover its losses from the DPO, especially if it believes the DPO was negligent. Additionally, some national data protection laws create personal civil or even criminal liability for corporate officers who are personally responsible for data protection violations. It is easy to imagine a situation where either GDPR or national-law violations (or both) are laid at a DPO’s feet. 

While the GDPR provides some protections for DPOs, it does not unequivocally shield them from all sources of liability. Article 39 lays out the minimum responsibilities of a DPO. Article 38(3) prohibits organizations from instructing DPOs on how to carry out those tasks. Additionally, Article 38 protects DPOs from being “dismissed or penalized by the controller or processor” for performing their tasks. However, this guarantee of independence says little about what happens if DPOs fail in their role; as a result, DPOs may remain exposed to liability should an organization rely on their inaccurate advice. The Working Party's guidance clearly states, “DPOs are not personally liable in case of non-compliance with the GDPR.” But while this language mitigates the risk of enforcement against a DPO directly by a data protection authority, it does not necessarily protect a DPO from liability to the company arising from his or her error or negligence. 

If a DPO’s error results in a serious regulatory or individual enforcement action, the potential exposure to liability is substantial, certainly well beyond the compensation offered to those holding the position. In the U.S., a company that believes a DPO’s negligent conduct has directly caused it harm potentially has a common law right to seek indemnity from its employee. Massive negligence suits by employers against employees are rare but not unheard of.

Moreover, even if a DPO’s employer declines to act directly, third party lawsuits by shareholders or consumers targeting a DPO are also possible. Shareholder derivative actions occur when a company’s shareholders file suit on the company’s behalf — typically after the company’s management has declined to do so. They often target the company’s officers, directors or other employees. A typical derivative suit alleges that an officer, director or employee caused the company harm. Any damages award is paid back to the company rather than to the derivative plaintiff shareholder. To be sure, differences in the legal system make shareholder derivative actions much rarer in most European jurisdictions than they are in the United States. But U.S. companies, too, are subject to GDPR, which may “import” individual DPO liability across the Atlantic.  

A consumer might also seek redress directly from a negligent DPO who allegedly caused harm to the consumer. Some jurisdictions protect officers, directors and employees from personal liability for on-the-job negligence, but others do not, depending on jurisdiction and language of employment contract.

An internal DPO’s exposure to liability depends heavily on where he or she sits within the organization, as the DPO’s seniority will affect the applicability of any directors and officers insurance the company holds (discussed below). The jurisdiction in which the company operates, the existence of any other insurance policies or indemnity agreements, and the language of the DPO’s employment contract are all also key factors in the DPO’s risk exposure.

External DPO liability

External DPOs — who are not employees, but rather outside contractors who provide advice to organizations pursuant to an Article 37(6) service contract — face a more straightforward risk of liability. If an organization engages a DPO via service contract, relies on that DPO’s advice, and is subsequently subject to an enforcement action by a supervisory authority, it could seek damages from the DPO.

This scenario is familiar to many contractors, especially professional service providers, the world over. If a contractor or professional is negligent in providing services and the customer suffers a harm as a result, the customer may seek compensation for the damage suffered. That, after all, is why companies commission legal opinions. Moreover, external DPOs who provide services to multiple clients may face greater exposure through aggregate risk of liability.

Risk mitigation for DPOs

With the potential for both internal and external DPOs to face liability for giving faulty advice, what solutions does the market offer? Both DPOs and the organizations that employ or contract them will seek solutions — and there are products already in existence to address the risk. Directors and officers insurance could possibly be structured to cover internal DPOs, while errors and omissions coverage can be arranged to protect the external variety. Both types of policies need to incorporate protective contract language.

Directors and officers insurance for internal DPOs

For internal DPOs, one option for protection from personal liability is through directors and officers insurance (often referred to as D&O). D&O policies are typically purchased by a company to provide its directors and officers either with advance coverage or reimbursement of expenses incurred because of civil or successfully defended criminal actions against those employees for work done on the company’s behalf. Coverage typically also includes expenses incurred as part of defending third-party suits, such as shareholder derivative actions.

The applicability of D&O coverage is contingent on the level of an employee’s position within a company. It typically applies to only the board of directors and employees identified as officers of the company, since being an “officer” is not synonymous with being an “employee.” Identifying which employees qualify as corporate officers is a key question in determining the reach of D&O coverage. Some U.S. states require certain officer positions be filled on record (for example, Ohio law requires each corporation to appoint a president, treasurer, and secretary), although the board of directors typically has discretion to create other officer positions as needed. Other states, such as Delaware, leave the titles and duties of a company’s officers entirely to each company’s bylaws. European jurisdictions also vary widely with respect to the definition of officer roles.

Determining “officer” status is not always a simple proposition. For example, Goldman Sachs, one of the largest investment banks in the world, recently spent several years litigating whether an employee with the title “Vice President” qualified as an “officer.” Goldman fought a six-year case, starting from the District Court of New Jersey all the way to the Third Circuit Court of Appeals (with a pit stop in the Delaware Chancery Court to interpret the firm’s bylaws), to determine whether it was required to reimburse a former vice president in its Equities Division for his legal fees. Though Goldman was ultimately successful in avoiding liability, the expenses incurred in fighting the case were substantial. 

Notwithstanding the use of the term “officer” for the data protection officer role, therefore, internal DPOs should verify that their employer’s D&O policies indeed cover them against third-party liability. Goldman’s litigation illustrates what could happen in the presence of ambiguity about whether a position qualifies for indemnification. In addition to the wording of the insurance policy, whether a particular position within a company qualifies as an “officer” for the purpose of coverage will depend on the company’s home jurisdiction, its organizational documents, and how the role is implemented in practice.

Indeed, Article 38’s proscription against DPOs accepting tasks and duties that result in a conflict of interest, as interpreted by the Working Party’s guidance, could imply that acting as a DPO is inherently incompatible with holding an officer role for the purposes of D&O insurance. Consequently, while the GDPR requires that the DPO “is involved, properly and in a timely manner, in all issues which relate to the protection of personal data” and “report directly to the highest management level,” these requirements do not automatically ensure that the DPO will qualify as an “officer” for insurance purposes. Absent a clear determination of the DPO’s officer status in a company’s bylaws or insurance policy, the protection of the DPO will be assessed like any other potential officer. With the Goldman case as an example, whether the DPO has any managerial or supervisory responsibilities, the behavior of the company toward any other employees in similar roles, and whether the company presented the DPO as an officer to its other employees will all play a role in how the position is ultimately considered. 

Insurance for external DPOs 

With the potential financial risk faced by DPOs, obtaining effective insurance coverage is key. As outside contractors, external DPOs will not be covered by clients’ D&O or general liability policies. Errors and omissions insurance (similarly referred to as E&O) is designed for just such service providers, typically protecting professional advisors and service providers from the cost of defending a client’s negligence claim as well as from damages from an adverse civil judgment. Common examples of this type of liability protection include legal and medical malpractice insurance. Broadly, the scope of claims covered by any given E&O policy are enumerated in the language of the policy itself. 

Legal malpractice coverage

Companies that determine a DPO is necessary but lack sufficient resources to create the position internally often appoint outside counsel to serve in the role, particularly if external counsel is already engaged for other data protection needs. Law firms considering offers to serve as external DPOs should carefully analyze their potential exposure to liability as well as possible conflicts of interest that may arise.

Earlier this year, the IAPP’s Privacy Bar Section hosted a web conference that discussed the potential conflict of interest attorneys may face if they act as both counsel and a DPO for the same client. The requirements for DPO independence and cooperation with regulators could run afoul of lawyers’ traditional obligations of confidentiality and loyalty. The Working Party guidance on DPOs suggests that a conflict may arise if an external DPO is asked to represent a controller or processor before a court in “cases involving data protection issues.” Some EU member states, such as France, explicitly prohibit DPOs from acting as legal representatives for their employers or clients in administrative or judicial settings.

Malpractice insurance policies are a specific type of errors and omissions insurance usually purchased by lawyers to cover legal work done on behalf of the firm’s clients. Often, malpractice policies contain carve-outs that explicitly exclude any of the insured attorneys’ actions that do not arise from representative relationship. But if a company’s DPO cannot act as its attorney due to a conflict of interest, the DPO’s legal malpractice insurance may not extend to his or her actions as DPO. Certain malpractice insurance policies may accept DPO work as “legal work” for coverage purposes, but lawyers and law firms considering acting in this role should first scrutinize their policies closely.

Other E&O insurance

Not only lawyers, but also other professionals acting as external DPOs could be exposed to liability. Much like legal malpractice insurance, general E&O policies are specifically limited in the type of conduct they cover. General E&O policies are designed to cover professional services businesses when their client suffers damages from relying on their actions or advice. E&O policies can cover everything from financial consulting to building repair work, including potentially DPO contracting services. However, miscellaneous E&O policies are not standardized, meaning that available coverage may vary widely. Insurers are typically hesitant to underwrite service providers whose exposure is unclear. Consequently, at least until the market for DPO insurance matures, individuals or companies that offer DPO services should be careful in negotiating appropriate insurance coverage.

Protective contract language

Aside from obtaining insurance coverage, external DPOs can seek to limit their risk exposure by including protective terms in their engagement agreements. IAPP Privacy Bar Advisory Board member Courtney Barton, head of privacy strategy and counsel at WireWheel.io, offered the following language as an example of an indemnification provision in an external DPO contract:

No Consequential Damages; Indemnification

Neither Party shall be liable to the other for special, indirect, incidental, consequential, or punitive damages of the other or for any form of damage (even if advised of the possibility thereof) other than direct damages arising out of, or in connection with, this Agreement. DPO will not be liable for special, indirect, incidental, consequential, or punitive damages resulting from COMPANY’s obligations under GDPR, including any fees or fines imposed on Company by any regulatory authority or any liability on the part of the COMPANY to any data subject. COMPANY agrees to indemnify and hold harmless DPO for any liability it may sustain as a result of its role as DPO for the COMPANY.

Negotiations between external DPOs and companies over the extent of potential liability the service provider is willing to accept will be a key part of any DPO service contract. 

Conclusion

Prior to accepting an offer to act as an internal or external DPO, data protection professionals should assess their potential exposure to liability. This includes clarifying the status of their liability insurance or that of their employer and not simply assuming the DPO role will be covered by an existing policy. Before appointing an internal or external DPO, a company may need to negotiate with its insurer or even amend its bylaws to ensure that the DPO’s role and status are clear.

Photo credit: CreditDebitPro Liability Key via photopin (license)