- Legislation has dramatically changed the regulatory landscape over the handling of data
- Anyone suffering damage from a data breach has the right to receive compensation
- Following the incident suffered by Dixons Carphone, the company is trying to determine how many people were compromised
This could have far-reaching consequences where a data breach results in thousands or millions of individuals having their personal data compromised and those individuals group together to bring a claim.
Clearly the introduction of the GDPR has increased the risk of data protection litigation. Indeed, it is arguable that the GDPR contains provisions that target and promote best practice and governance through civil accountability, rather than through formal regulation.
In practice, we anticipate that the principles will encourage awareness of the need to protect and manage data. However, the GDPR contains increased and enhanced rights for data subjects that they may wish to enforce against businesses.
In the event of a security breach, organisations may be obliged to report the breach to the ICO within 72 hours. Further, businesses must also inform affected individuals (data subjects) where that security breach is likely to result in a high risk to them.
This will require businesses to determine the scope of any breach, including who has been affected and what data has been breached, urgently, because they must inform the data subjects “without undue delay”. This may not be straightforward.
The data incident suffered by Dixons Carphone will doubtless be heavily scrutinised by the ICO, not least because of the volume of data involved. Dixons Carphone is urgently investigating the breach, which is understood to have started in July 2017, but was only discovered in June 2018.
One of the problems faced by Dixons Carphone will be in determining precisely what information has been compromised. All that is known is that 1.2m personal data records have been accessed and that there “was an attempt to compromise” 5.9m credit and debit cards.
Although this breach appears to have occurred before the implementation of the GDPR, the company has said that it will inform those individuals who have had personal, non-financial data accessed.
It is, however, unclear whether the incident continued after the GDPR and the new Data Protection Act 2018 applied.
The ICO may well impose a significant fine because it follows a similar event that occurred in 2015. The ICO issued the company with a penalty of £400,000 for a system failure that allowed unauthorised access to the personal data of more than 3m customers and 1,000 employees.
This was one of the largest fines imposed by the ICO under the previous regime.
The impact that the GDPR will have on personal liability of directors and officers remains uncertain. It would appear that liability falls firmly on the organisation (as controller) to comply and demonstrate its compliance with the GDPR.