Data Protection Law – a sea of change?
Data Protection is a hot topic and focus on it is likely to increase in the next few years.
There are likely to be increases in claims and fines brought against public and private organisations, especially those that fail to understand or comply with forthcoming regulatory changes under the GDPR (General Data Protection Regulation), which comes into force from 25 May 2018. The GDPR requires businesses to make sure they are fully up to speed, prepared and accountable, or risk horrendous potential fines and irreversible damage to reputation.
The forthcoming GDPR changes do not mitigate the need for businesses currently to comply with the Data Protection Act 1998 and other applicable data protection law now, and if anything, the forthcoming change draws even more focus to current practice and how businesses are dealing with sensitive information now.
Once a business has sensitive information from a data subject, it becomes their problem how they treat and deal with it as a matter of law and there are strict limits and requirements how it should be handled, a breach of which may have serious consequences.
Data protection is of increasing significance to both businesses and individuals as it reflects the fact vast amounts of business is undertaken online, often by automated processes, and that more and more individuals are required to give potentially sensitive personal information to organisations via the internet.
With that increased automation, comes the increased risk of regulatory offences and possibility for misuse or loss of sensitive personal information, which may result in serious psychological, financial loss and distress to data subjects who fall victim.
Conversely, a business who has permitted a data protection breach to occur, may suffer significant damage to its hard-earned reputation, substantial potential fines from the Information Commissioners Office (ICO), which may impact directly on profitability and growth and may even result in criminal liability if those responsible try and cover a breach up.
On either side of the coin, data protection is not to be underestimated or treated lightly.
Whilst the regulatory change under GDPR is undoubtedly seen by business owners to be inconvenient in terms of creating additional administration, costs and training, it should be seen as an opportunity to ensure businesses have processes for dealing with data which help protect it against risks of falling foul of the law and future claims and fines. Data protection and GDPR training should be seen as a worthwhile and sensible investment designed to offer protection.
As with most aspects of law, ignorance of the law offers little solace in the event of a breach or dispute and early legal advice is sensible in the event of a suspected breach, whether you are the business responsible of the individual affected by a suspected breach.
At Saunders Law, the combined skill set of the Commercial Litigation team, Media Disputes team, Criminal and Actions Against the Police team (AAP) means we are well placed to deal and advise in the event you as an individual fall victim to a potential data protection breach, in terms of advising, liaising with the organisation responsible, seeking compensation and referring matters to the Information Commissioners Office (ICO).
Conversely, if you are a business or organisations that suspects a breach regarding sensitive information has occurred, we can offer tactical and practical advice how to potentially limit civil and criminal liability, and use potential mitigating circumstances to reduce financial penalties.
A change in civil litigation
Historically, there have been many hurdles in civil litigation to individuals who have suffered as a result of a misuse or unlawful processing of personal data, in terms of needing ideally to have suffered financial loss, rather than just distress.
In addition, the amount of compensation awarded by the courts even in successful cases is generally very low, such that bringing a claim with legal representation can be uneconomic.
However, that position may well change, and in particular as and when issues arise under the GDPR, as they inevitably will, the law may adapt and offer a better redress to those who can prove they have suffered serious harm.
Whilst the courts are unlikely to take sudden steps that result in a flood of litigation, (which ultimately comes back on them to deal with), and whilst the change may be gradual, it seems likely, following a key case of Google v Vidal-Hall and others  EWCA Civ 311, in which the courts lessened the need for people bringing claims for misuse of private information to show financial loss, and confirming misuse of personal information is a tort actionable in law, that the tide may be gradually turning and the law is updating.
Litigated cases may gradually shift to being more supportive and punitive in very serious cases where significant loss and harm can be proved to have been caused to an individual by the breach of data protection law.
If case law doesn't adapt, then the ICO fines for breaches under the GDPR are set to be much larger and damaging, to the extent that they may seriously threaten the solvency of the company.
Even if a business is facing, what appears to be initially, a potentially very low-value compensation claim by an individual who has suffered from a minor breach, investigation surrounding the alleged breach might give rise or reveal more serious data protection issues or non-compliance, which the ICO could escalate into a much bigger problem. It may well be the tip of an iceberg.
That presents potential leverage for individuals to try and secure more compensation, to avoid an expensive and lengthy battle, and negative publicity and poses heightened risk to businesses that a minor breach has the potential to escalate exponentially.
Contact our Litigation Solicitors London
If you are a business or individual affected by a potentially serious and high-value data protection breach, contact us today on 02076324300 or complete our online enquiry form to see how we can assist.