Compensation claims under GDPR, the new health and safety litigation?March 27, 2018
Health and safety legislation in the 1970s fundamentally changed the workplace. It also led to much litigation. Thirty years on, are we set for a new wave of litigation when GDPR comes into force?
At the moment data protection in the UK is governed by the Data Protection Act 1998. It provides obligations on organisations which process personal data and gives individuals, or data subjects, certain rights in relation to their personal data.
The 1998 Act was deemed unfit for purpose for the significant changes of the digital age and the sheer volume of personal data that is processed online. The General Data Protection Regulation (GDPR) will come into force on 25th May 2018. It provides increased obligations on controllers and indeed processors of data for the first time. It also provides enhanced rights for data subjects.
At the heart of GDPR are the concepts of privacy by design and cyber security. Data controllers need to proactive in fostering a culture of data privacy and ensuring they have technical, organisational and physical measures in place to keep data safe.
When controllers fall foul of data protection legislation, they can be subject to investigation and enforcement by the Information Commissioner or civil proceedings for compensation by data subjects.
Recent cases were Plaintiffs would have traditionally relied on defamation or harassment, are now regularly pleading information law issues such as data protection and the tort of misuse of private information. The exposure of controllers to regulatory action and/or civil litigation by aggrieved data subjects is significantly increased under GDPR for the following reasons:
- Controllers must self report to the Information Commissioner – mandatory breach notification
- It will be easier to claim compensation. Under the current law the subject can claim for anxiety and distress when there has been monetary loss. Going forward subjects will be able to claim for both material and non-material loss.
- There will be obligations on processors for the first time.
- There is potential for group/public interest litigation so representative bodies may claim on a data subject’s behalf.
- It has extraterritorial effect. It will apply to the personal data of European citizens wherever it is processed.
- There will be enhanced rights for data subjects.
A recent decision by the High Court in England and Wales in relation to Morrisons may give a good indication of how our Courts will treat data protection legislation in a post GDPR world. The decision was published in December 2017. The case was a claim by a group of employees of Morrisons following the publication of payroll data by another disgruntled employee.
The case is of interest for 2 reasons. The perceived wisdom was previously that the real risk of data breach lies in damage to reputation rather than compensation claims. It also held an employer liable for the criminal acts of an employee outwith its control.
The employee was convicted of data related offences and sentenced to prison. Whilst this was the result of a criminal act, the Court held Morrisons vicariously liable for the actions of its employee.
The risk of litigation in relation to data protection issues will increase. Whilst most organisations are now sick of hearing about GDPR, the risk is very real, especially in sectors that process a lot of personal or even sensitive personal data. If a breach happens, they will be expected to demonstrate what measures they have implemented to keep personal data safe and to minimise loss. Litigation in a post GDPR world will be of keen interest to subjects, controllers and lawyers alike.
This article has been produced for general information purposes and further advice should be sought from a professional advisor. Please contact our Data Protection/Intellectual Property Team at Cleaver Fulton Rankin for further advice or information.
Michael King, Director, Intellectual Property Team, Cleaver Fulton Rankin, Solicitors.