An article in Insurance Times on 13 November 2017, titled ‘Torrent of claims expected across Europe under GDPR’ highlights how the GDPR legislation could swamp organisations with litigation for the mishandling of data. Read the full article here.
While there has been much made of the total financial penalties available to the ICO, there has not been much commentary on the potential impact of a deluge of claims for compensation by individuals against those who have mishandled their data. Indeed, a brief google search reveals a number of solicitors gearing up to be prepared to ‘assist’ those who feel their data was misused. After all, it’s a simple step from a complaint to the ICO to a claim in the County Court.
‘mere distress’ can form the basis of an entitlement to compensation, even without pecuniary loss
Civil litigation in respect of data protection was highlighted in the Court of Appeal’s ruling in Google v Vidal-Hall: damage due to ‘mere distress’ can form the basis of an entitlement to compensation, even without pecuniary loss. It may be noted also that the playing field is distinctly uneven across Europe, even though the GDPR seeks harmonisation of penalties.
It’s time for organisations to brace themselves. High on the list of targets of ‘disgruntled customers’ are financial services firms, telecoms providers, and all manner of retail operations. Equally, any organisation – commercial or not – which has engaged in any form of marketing or data sharing might find themselves to be targets.
Is it unjust? Is this just another PPI situation? Indeed, there will be some malicious claims, but it’s generally acknowledged that data has been treated as a commodity to be bought, sold and passed around for far too long. Telephones at home are plagued by cold calls, often automated, and letter boxes stuffed full of marketing literature which was never requested.
The tide will turn on the 25th May, 2018.