GDPR, the new PPI?
Updated: May 27, 2018
In the months leading up to the GDPR becoming law, there was an increasing focus on data breaches and the potential fines of €20M or 4% of total worldwide annual turnover. With the ongoing headlines and debates around the use of data, it is also worth considering the additional layers of compensation claims that may emerge. The GDPR increases the rights of data subjects to take civil actions against organisations that contravene their data protection rights, to then seek compensation from those organisations. There have also been reports that niche legal firms are already being established to cater for the anticipated demand.
Individuals may be able to seek compensation claims for non-material damage, for example distress, anxiety and reputational damage associated with a GDPR-related infringement, even if no financial damage has resulted. For those of us in the UK who have been the target of relentless advertising campaigns and cold calls promoting PPI claims for many years, there is now the potential for a litigious environment that could see the £30Bn paid out under PPI seem like a mere entrée to the main course.
Of course, genuine incompetence and misuse of our personal data should have recourse to the law, but the potential for disruption could become very real, with unintended consequences to jobs and the economies in the European Union as organisations are faced with class actions and consumer litigations. The scale is much broader than PPI and the potential targets include any organisations that hold personal data on EU citizens (including the post-Brexit UK).
This clearly does not mean that only the global tech giants are impacted. It will apply equally to organisations that market to or do business with EU member states, regardless of where in the world that organisation is located. If you process data while offering goods or services to data subjects who are in the EU, it doesn’t matter where you are based, you are subject to the GDPR.
To better understand the GDPR requirements, the ICO website (ICO.org.uk) continues to be a very useful source of information, including its “12 steps to take now”. Data Protection Impact Assessments are also explained and further information can be secured from a number of legal firms, insurers and Cyber Security specialists. Ensuring that your organisation is compliant to the GDPR has to be top of mind.