Is your company ready to defend against a data protection compensation claim?
Peter Adediran’s specialist niche area of practice is data protection and privacy law as it relates to digital business including websites and mobile applications PAIL Solicitors. Read more on PAIL’s Resource Library
If you are still not taking GDPR compliance seriously you need to do so now!
The EU General Data Protection Regulation (GDPR) (Regulations) was the biggest ever shake up to data protection laws, yet many organisations (i.e. businesses, companies, non-profit bodies) are still not properly prepared for them. It covers all types of personal data use including unwanted emails and security.
To some organisations, the GDPR’s introduction that took place in May 2018 was met with some anxiety but with no real commitment to comply with the Regulations. Their thinking might have been that there would be no follow-up to police the Regulations. Well, those assumptions are wrong. The UK has replaced the 1988 Data Protection Act with legislation that mirrors the GDPR post-Brexit – the Data Protection Act 2018 (the “Act”).
Any organisation, big or small, that is failing to do enough to comply with the Regulations when securing, collecting, storing and using personal information will highly likely find itself facing a legal claim, heavy fine or other regulatory censure. It is the perfect storm for those organisations that continually refuse to take privacy and data protection laws seriously.
Data Protection Compensation Claims
There continues to be an increased slew of compensation cases, brought by members of the public (individuals and class actions suits), claiming compensation from organisations that are in breach of data protection laws, following the introduction of the Regulations.
Under the Act the English High Court and County Court have jurisdiction s180(1)(a) to hear data protection infringement claims including GDPR compensation claims. SS168, 169 Act (Article 82 GDPR) allows for a claim of compensation for “material” and “non-material” damage. S168 and case law has stated that “non-material damage” includes distress. Case law has established that there is no need to show financial loss in deciding distress.
Notable compensation cases are:
Halliday v Creation Consumer Finance [2013] EQCA Civ 333
AB v Ministry of Justice [2014] EWHC 1847
Vidal-Hall and others v Google Inc [2015] EWCA Civ 311
Gulati & Ors v MGN Limited [2015] EWHC 1482 (Ch)
TLT & Others v Secretary of State for the Home Department and the Home Office [2016] EWHC 2217 (QB)
Note that a compensation claim can be brought by a single person or several people in a class action suit. So, if for example, there is a data breach involving a 1000 people that are ultimately awarded compensation of £10,000.00 each, the consequences for a company, and its directors personally, could be very substantial.
Information Commissioner’s Office (ICO) Investigation
A data subject can complain to the ICO s165 Act (Articles 57(1)(f) and (2) and 77 GDPR). ICO is obliged, under its general duty to investigate complaints from members of the public. ICO takes this obligation very seriously and is very vigorously pursuing information provided to it by members of the public. In all cases that there is a breach, ICO will write to the business to get an explanation from it.
If the response to ICO is not satisfactory, ICO has several remedies including:
(1) working with the senior officers of the organisation to devise an action plan to prevent the breach happening again and improving information rights more widely within the organisation. The organisation’s plan must convince ICO that the organisation is taking data protection responsibilities more seriously. Note that the conclusions of an ICO complaint can be used as evidence in a data protection compensation claim.
(2) ICO can issue a financial penalty for failing to comply with Part 3 of the Act. Part 3 of the Act broadly relates to protecting the information rights of the data subject. There are 2 tiers of penalty the lower and the maximum. The higher amount is up to 20 million euros or 4% of annual global turnover and the lower is 10 million euros or 2% of annual global turnover. In practice ICO has issued much lower fines than these starting from £5,000 for a very small business. BUPA was recently fined £175,000 by ICO for failing to have proper security measures in place for protecting customer data.
Like all regulators, ICO are looking for a commitment to good data protection practices rather than perfection. However where there are either blatant breaches or consistent disregard for the Regulations the ICO penalties are intended to be: “effective, proportionate and dissuasive.” This wording on the ICO website page relating to enforcement of the Regulations, sends a clear message that such penalties for breach of the Regulations are meant to be felt by the defaulting organisation.
If you are taking data protections seriously now is the time to put the processes in place to ensure you are compliant.
By Peter Adediran
08 10 2018
This article details important elements of the necessity to comply with the General Data Protection Regulations and the Data Protection Act 2018 but is by no means exhaustive. If you are seeking advice on either complying with GDPR or are bringing or defending a data protection compensation claim and have read this article, you must take the opportunity to go and seek professional legal advice from a solicitor or barrister. The information and any commentary on the law contained on this web site is provided free of charge for information purposes only. Every reasonable effort is made to make the information and commentary accurate and up to date, but no responsibility for its accuracy and correctness, or for any consequences of relying on it, is assumed by PAIL Solicitors. The information and commentary does not, and is not intended to, amount to legal advice to any person on a specific case or matter. You are strongly advised to obtain specific, personal advice from a lawyer about your case or matter and not to rely on the information or comments on this site. No responsibility is accepted for the content or accuracy of linked sites.