The numerous emails received in May reminded us that the General Data Protection Regulation (GDPR) was applied from 25 May 2018.
In addition, the Data Protection Act 1998 was repealed and replaced by a new Data Protection Act 2018 on the same day.
This has dramatically altered the regulatory and litigation landscape faced by businesses and their directors when dealing with personal data.
Organisations holding and processing data have always been required to process it in a lawful, fair and transparent manner.
This includes data relating to customers and employees. However, the GDPR places a much higher burden on the accountability of organisations to comply with its principles. In particular, businesses must now evidence how they are complying with the regulations.
Further, data subjects are increasingly aware of their rights and the GDPR requires them to be notified in the event that a data breach occurs. The GDPR imposes significant financial fines on businesses of up to Euro 20m (£17.6m) or 4 per cent of global turnover, whichever is higher.
It also exposes directors to criminal sanctions. Directors are therefore facing a perfect storm with increased public awareness of their rights over data, combined with the threat of increased fines and personal culpability.
An organisation must implement “appropriate technical and organisational measures” to demonstrate that data processing is performed in accordance with the GDPR.
What amounts to an appropriate measure is not defined, but it must be “proportionate” to the nature and scope of data being processed and the likelihood and severity of risks to that data.
Larger organisations (with more resource, employees, customers and data) will necessarily be required to implement more rigorous data protection regimes, policies and training to demonstrate their compliance with the GDPR compared with SME businesses.
In addition to the significant administrative fines imposed by the Information Commissioner's Office (ICO), the GDPR stipulates that any person who suffers material or non-material damage as a result of a breach has the right to receive compensation from the organisation responsible.
The only defence is if the organisation can demonstrate that “it is not in any way responsible for the event giving rise to the damage”. This is a high test to meet and is additional to a civil liability for any damage suffered.
The phrase “non-material damage” allows for compensation to be awarded for distress and inconvenience where no financial loss has been suffered.
As well as this individual right of action, the GDPR contains provisions that may encourage group actions for data breaches.
Data subjects have the right to instruct a not-for-profit organisation “to exercise the right to receive compensation” on their behalf.
It is likely that this provision will be used as a vehicle for claims to be brought on behalf of a group of individuals in the event of a data breach.