All organisations that hold personal data will be well aware that the General Data Protection Regulations (GDPR) will come into force in May 2018. This will also come into British Law with the Great Repeal Act and subsequent Data Protection Act expected in 2019-2020.
We are well informed in respect of the potential regulatory fines that can be imposed on an organisation for a data breach occurring. However, under the radar somewhat is the fact that the regulations may open the door for civil litigation following a breach of the data subject themselves.
If an organisation is found to have fallen foul of the GDPR new rules, the potential for civil litigation to follow is increased for two reasons – the right to claim and a drive by the claims management companies to pursue them.
The Court of Appeal case of Vidal-Hall v Google heard in 2016 opened the door to enabling claims to be brought to the Court for distress without financial loss. Prior to this case, there had to be a financial loss attached to the breach for a claim to be valid. As a result, until now, there have been very few civil claims pursued. Since this ruling in 2016, there has been a modest increase in civil claims and damages awarded have ranged between £2,500 to £12,500 for distress caused by data breaches. Notably, the lower end sum is in excess of the proposed non-motor Small Claims limit of £2,000, so recoverable legal fees would follow. It is important to note that these claims do not involve any financial losses and are for General Damages only.
We have also had the High Court confirm that employers could be vicariously liable for an employee’s misuse of data even if they have done all that they reasonably can to prevent it and are not legally at fault; as was held in the UK’s first data leak group action case against Morrisons. These cases were heard with the current Data Protection Act (DPA) rules in place, which contain far more difficult hurdles for ‘would be’ claimants to overcome.
GDPR Article 82
GDPR specifically states that a civil claim can be made for any breach. With the key points in Article 82:
- Compensation is expressly available for non-material damage.
- Processors are liable in addition to controllers, for breaches of processor-specific obligations or if acting outside the instructions of the relevant controller.
- All breaching parties are jointly and severally liable for the full loss.
- The burden of proof in at least some circumstances will shift to the defending controller or processor.
- In most cases, data subjects will be able to bring claims in their own National Courts rather than in those of the controller or processor.
- Controllers and processors without an establishment in the EU may also be liable.
With any breach under GDPR comes with it the mandatory requirement to report them to those individuals/groups whose data has been involved. Raising the profile of the breach itself has the potential to lead to an increase in civil claims.
Historically, there had to be a tangible financial loss associated with the breach which in turn kept control over the civil litigation side of data breaches. With GDPR, this will no longer be the case and so we can expect to see a rise in the number of claims for distress. We are entering new and unchartered territory
In 2017, the Information Commissioners Office reported that in quarter 2, there had been a 29% increase in reported incidents from the Local Government Sector and as a result they had issued 11 fines in that same year.
Public sector organisations have experienced a number of high profile breaches in recent times, many of which have impacted on vulnerable individuals in their care. The cost of reputational damage, investigatory costs and fines can be impactful for the public sector and when you add in additional costs arising from civil litigation cases the costs are set to soar.
We have lived through claims spikes for whiplash injuries, industrial disease and more recently for travel/holiday sickness claims. This new era of claiming for distress arising from data breaches/loss will be an area of interest for the many claims management companies operating in the UK today.
Organisations should take all necessary steps to prepare themselves for the arrival of GDPR to protect their position against loss as far as possible and remain on the right side of the Information Commissioner. If you require further information please visit the ICO website https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
How can we help you?
For more advice on how we can help lower the cost of your risk, please email UK.London.RMPartners.firstname.lastname@example.org
You can opt out of marketing communications at any time by contacting us.