The new General Data Protection Regulation (GDPR) comes into force on 25th May 2018. This is a major piece of legislation that affects every UK company– the sole exception is if all your customers and clients live and work outside of the EU.
The GDPR demands a high level of consent for marketing activity. Your business must be able to provide proof that consent has been given by the individual to hold and process their data for each marketing purpose. It also requires a robust IT infrastructure and putting policies, procedures and the correct legal documentation in place to prevent breaches and protect your business. You can find out more here.
Few businesses have taken the needed action to make sure they are compliant. However, this is a pressing concern. The Data Protection Authorities, in the UK this is the Information Commission Office (ICO), will have the power to enforce much more serious fines than before; in some cases, up to €20 million or 4 % of annual global turnover whichever is the higher.
While these figures are more appropriate to large corporates and it is unlikely that the full fine will be levied by the ICO, the main concern is around potential customer compensation claims.
GDPR Compensation Claims
The GDPR states that individuals can claim for compensation if they’ve suffered damages due to infringement. It states that “The controller or processor should be exempt from liability if it proves that it is not in any way responsible for the damage”. So, this regulation firmly places the burden of proof on your business.
The main concern is that GDPR breaches will become like PPI claims. There could be a whole industry of GDPR claim companies starting up to help customers to make compensation claims against businesses.
The high number of PPI claims (totalling £23bn between 2011 and 2016) is due to people becoming aware of their rights and the heavy advertising done by PPI claim companies who take a percentage of the claim for doing the needed paperwork. Ironically, most PPI claim companies violate the GDPR when it comes to marketing but it is easy to see these sorts of businesses starting up to help people make claims for data protection breaches.
What Can Claims Be Made for?
Up until last year, you couldn’t make a claim under the Data Protection Act without evidence of a financial loss. This all changed with the Vidal-Hall vs Google case.
This case centred around Google collecting information related to internet usage without the Claimants’ knowledge or consent. Their usage information was then offered to advertisers who used it to target advertisements, which were then displayed on the Claimants’ computer screens and were, or might have been, visible to others.
None of the Claimants in this case suffered financial loss or other material damage. The claims were brought for compensation for distress. The claim was upheld in the Court of Appeal. Google was granted permission to appeal to the Supreme Court but the two parties settled before it reached this stage.
This case established that a claimant could claim for compensation even when they had not experienced a financial loss. So, a claim could be brought against your company for non-financial damages, known as moral damages, such as:
- Distress;
- Anxiety;
- Wounded feelings;
- Damaged reputation;
- Moral Shock;
- Humiliation etc.
Size of GDPR Compensation Claims
How big could these GDPR compensation claims be? This is tricky to answer. The Google case was brought under the Data Protection Act and was settled out of Court.
A good guideline to the potential size is the Talktalk hack in 2015, where the personal details of 157,000 customers were accessed. Some of these people were subsequently the victims of fraud and their financial loss would be assessed separately. Those who didn’t suffer a financial loss may well have been concerned that they would be victims of fraud in the future or that money may have been stolen from their accounts. This would give rise to a case for moral damages.
A conservative estimate for the claim for each of these customers under the GDPR would be £500. So, the total compensation bill for the 157,000 affected customers would be £78.5m, which completely dwarfs the fine the ICO could apply.
Until the GDPR comes into effect and some cases are brought under it, we will not know the true extent of the size of potential claims.
What we do know is that the GDPR allows for multi-party compensation claims. This makes it financially viable for a claim management firm to bring a claim against your company consisting of many small claims.
GDPR Protection for Your Business
Else Solicitors and our GDPR partner, i-Secured, can help you to achieve compliance and protect your business from claims. Else are a modern, dynamic and forward thinking firm of solicitors who have the expertise you expect from a large, traditional law firm.
If you are concerned about GDPR compliance, then we urge you to contact Adam Gilbert, Head of Corporate and Commercial Director on 01283 526 229 or at adam.gilbert@elselaw.co.uk at your earliest convenience.
Experience the Else difference today!