IACCM Contract Management Forum

« view all forum posts
2018-01-04 15:04:11

Liability of GDPR consultant

Hello everyone, what is your opinion on shifting the liability for penalties (4% revenue)on external GDPR consultants. I have noticed a lot of companies (usually SMEs) hire GDPR consultants to prepare them for GDPR but hold the consultant liable for their potential penalties. What is your view on this from both perspectives, the company as well as the consultant. Thank you!
 •  World Commerce & Contracting  •   2018-01-04 23:45:53
Hi there. I have submitted and forwarded your question to Daniela Badescu, who is the practitioner in charge of the IACCM Community of Interest "Data Privacy and Data protection", and who has recently delivered a webinar on GDPR. Daniela will be back to you on this. Thanks
Pablo Cilotta
 •  Willis Towers Watson  •   2018-01-09 11:28:28

This is a very interesting point. Thank you for raising the question.
As all is still new with GDPR, it's hard to say what the actual practice is.

One aspect to consider is that the administrative fines are tiered, with the first being up to 2% of the turnover or 10M Eur (whichever is higher) and the second tier up to 4% or 20M Eur (whichever is higher).

Let's assume a consultant provides a set of recommendations and implementation guidelines. GDPR consultants could argue that following that advice is the company's business decision and that applying and maintaining the processes to remain compliant is the company's responsibility.

Also, holding a consultant liable for up to 4% of their customer's turnover may be more than what they can/are willing to cover. Ie. assume an organisation has 10M EUR turnover - this mean the consultant's liability would be up to 400,000 EUR. How does this measure against the consulting fee?

To set up a liability coverage, I believe it may make sense to look at fines in the context of specific contractual obligations and see if based on that, the fines qualify as direct or consequential damages.

It may be different for contracts where there is a continuous service to design, maintain and review the GDPR related processes. Still, the level of liability remains subject to negotiation and I would rather expect it to be tied to the actual contract value and not on fines or other operational costs that may result from non-compliance.

What type of contracts are you looking at? It would be great if you can share what you have seen.

Many thanks,
 •  Orange  •   2018-01-09 16:08:31
Hello Daniela,

thank you for your kind response!

It seems it is becoming practice for companies seeking GDPR consultants to require liability for administrative fines and related costs incurred.

You have asked about the contracts, these are service/consulting contracts between GDPR consultant and SME company (client) which intends to source out the GDPR management/compliance to an external consultant. The services would typically include investigation of readiness for GDPR, preparation of guidelines the company should comply with with regards to GDPR, impact assessment and gap analysis.. The value of such contracts is a fraction of the administrative fines which might be implied upon the client by the authorities in case of GDPR breach. GDPR consultants who refuse to accept full liability for the administrative fines often loose their opportunities and clients.

I do not fully understand your paragraph on direct and consequential damages. Could you please kindly explain?

Thank you again for your time and help.
Kind regards,
Eva Kubirita
 •  NISSAN Europe (Alliance Renault)  •   2018-02-01 16:36:25
Please share any market trends regarding "super caps" instead of unlimited liability in case of data and/or security breaches for SAAS, PAAS and IAAS contracts, Thanking you in advance, Hubert
 •   2018-08-28 17:36:47
Hubert - this wasn't SaaS, PaaS, IaaS specific - but on most recent contracts relating to ICT managed services I've worked on (network and apps support) customer took an approach of requesting unlimited liability, then relaxing back to super cap between £15 - £25m (depending on bargaining power).
Replies: 5
Filter by category
Operations & Capabilities
Organization & People
Strategy & Management Tools