Tackling Liability under GDPR
Recently, it was announced that British Airways is to be fined more than £183m by the UK Information Commissioner's Office (ICO) after hackers stole the personal data of half a million of the airline's customers. According to ICO, such data breach, which began in June 2018, occurred because British Airways had "poor security arrangements" in place to protect customer information being accessed.
As a controller we are not in control over the cloud service provider's (IT) environment and we must rely upon (IT) controls that the provider has in place. Such arrangements must be governed by a contract or other legal act under Union or Member State law, namely by a data processing agreement (DPA) which shall include the appropriate security measures to be implemented by the processor.
In this session, we will look into: particularities and challenges of a DPA when negotiating the appropriate organizational and security measures to be implemented, including their scope, assessment and enforcement during the term of such arrangement as a way of managing the risk of liability towards the individuals and before the data protection authorities.