I agree with your thought Unlimited liability means Unlimited exposure irrespective of size of contract.
If there is no way to Limit your liability then atlast include a clause that defines a process of identifying liability. E.g If a Mistake happens by your employee due to some vulnerability in Client/Customer systems/process then is it only your fault or customer is also responsible for it ?.. If both parties agree to jointly decide on mechanism for fixing ownership of issue then you get a fair chance to defend yourself. Just my thoughts...
Thank you for your response. Most of these happen to be government contracts where one is unable to propose any changes. Do organizations that work with government customers usually willing to undertake the risk of unlimited liability? I am also guessing that there may potentially be no risk that will require indemnification, in a product supply contract or am I underestimating?
Hi Mark, Happy to discuss. Send me an email via firstname.lastname@example.org and I can talk about the principles I use.
In my view I don't believe, as a community, we have fully bottomed out all the risks associated with these types of engagement.
• Nokia Solutions and Networks Australia Limited
For a very good, concise review of the principles and issues of cloud agreements generally, covering most of your points above (my view anyway), you might also check out David W. Tollen's book "The Tech Contracts Handbook" online or via this website:
Given you are talking about actually processing personal data (suppliers' reps details), if this falls under the GDPR then it would be prudent to update the contracts to that effect (See Art 3 of the GDPR for full territorial scope, but this could mean a company based in the EU or processing data from EU individuals or companies). I believe the first step is reaching out to your Legal team and DPO and get an assessment specific to your business operations and identify the cases where you qualify as a data processor or controller. As a general approach, according to Art. 5 of the GDPR, you need to inform the individuals about collecting and processing their data, as well as the purpose of the data processing. Direct consent could also be required (see Art 7). If your organisation has already implemented the processes to comply with the GDPR, it would only be a matter of including it in the contracts or working with localised templates (i.e. include it only for your company's OUs or suppliers based in the EU).
Hi there. I have submitted and forwarded your question to Daniela Badescu, who is the practitioner in charge of the IACCM Community of Interest "Data Privacy and Data protection", and who has recently delivered a webinar on GDPR. Daniela will be back to you on this. Thanks
• Willis Towers Watson
This is a very interesting point. Thank you for raising the question.
As all is still new with GDPR, it's hard to say what the actual practice is.
One aspect to consider is that the administrative fines are tiered, with the first being up to 2% of the turnover or 10M Eur (whichever is higher) and the second tier up to 4% or 20M Eur (whichever is higher).
Let's assume a consultant provides a set of recommendations and implementation guidelines. GDPR consultants could argue that following that advice is the company's business decision and that applying and maintaining the processes to remain compliant is the company's responsibility.
Also, holding a consultant liable for up to 4% of their customer's turnover may be more than what they can/are willing to cover. Ie. assume an organisation has 10M EUR turnover - this mean the consultant's liability would be up to 400,000 EUR. How does this measure against the consulting fee?
To set up a liability coverage, I believe it may make sense to look at fines in the context of specific contractual obligations and see if based on that, the fines qualify as direct or consequential damages.
It may be different for contracts where there is a continuous service to design, maintain and review the GDPR related processes. Still, the level of liability remains subject to negotiation and I would rather expect it to be tied to the actual contract value and not on fines or other operational costs that may result from non-compliance.
What type of contracts are you looking at? It would be great if you can share what you have seen.
thank you for your kind response!
It seems it is becoming practice for companies seeking GDPR consultants to require liability for administrative fines and related costs incurred.
You have asked about the contracts, these are service/consulting contracts between GDPR consultant and SME company (client) which intends to source out the GDPR management/compliance to an external consultant. The services would typically include investigation of readiness for GDPR, preparation of guidelines the company should comply with with regards to GDPR, impact assessment and gap analysis.. The value of such contracts is a fraction of the administrative fines which might be implied upon the client by the authorities in case of GDPR breach. GDPR consultants who refuse to accept full liability for the administrative fines often loose their opportunities and clients.
I do not fully understand your paragraph on direct and consequential damages. Could you please kindly explain?
Thank you again for your time and help.
• NISSAN Europe (Alliance Renault)
Please share any market trends regarding "super caps" instead of unlimited liability in case of data and/or security breaches for SAAS, PAAS and IAAS contracts, Thanking you in advance, Hubert
Hubert - this wasn't SaaS, PaaS, IaaS specific - but on most recent contracts relating to ICT managed services I've worked on (network and apps support) customer took an approach of requesting unlimited liability, then relaxing back to super cap between £15 - £25m (depending on bargaining power).
• San Diego Association of Governments (SANDAG)
We quickly identified the "usual offenders" who turned tracked changes off, made changes, then turned it back on, but we believe that most were accidental oversights. To prevent these, we just about always use locked tracked changes both internally and externally.
You'll have some resistance first, but eventually all of the stakeholders get used to it.
• Infrastructure Ontario
I prefer to run my own comparison rather than rely on a counterparty's. This avoids the question of whether an oversight was intentional or not.