The prospect of huge fines may be driving most companies’ efforts to achieve GDPR compliance before the May 25 deadline – despite the Information Commissioner’s assurances that monetary penalties will be the last resort – but it is the rise of an army of “no win, no fee” compensation lawyers which could do the most damage.
That was the view of a round-table panel of data protection experts, at an event this week.
“One point I think people miss when they’re looking at GDPR is that they are always looking at the regulator,” said Julian Box, CEO of cloud business Calligo. “But the real challenge is going to come from people asking, ‘what data do you have on me?'”
Box predicted that once consumers realise companies are holding data that they should not, it could easily trigger a flood of class-action lawsuits. The costs related to that would “dwarf” those handed down by a regulator, he insisted, adding: “We truly think you’re going to see ambulance chasers here.”
And with one recent study showing that nearly three-quarters (70%) of consumers plan to exercise their right to get a copy of the data firms hold on them, it has already been predicted that data compensation claims could make the £30bn paid out so far in the PPI mis-selling scandal look like loose change.
Robert Bond, a partner at law firm Bristows, agreed that there would be attempts to tap into this market, especially after a data breach. “The area we foresee [being used] is emotional distress – having ambulance-chasing lawyers saying, ‘have you lost sleep because your data might have been exposed?'” Bond said. “You can imagine, if a million people make a claim of £1,000 each, that dwarfs any of the other fines.”
He added that, with the cost of notifying data subjects about the breach, possible fines from the regulator and related brand damage or falling share process, there could be a “perfect storm” of costs.
Cloudian global technical director Neil Stobart concurred, saying: “You can guarantee there will be a whole industry out there.”
The panel, which also included EY global GDPR lead consultant Noris Iswaldi and University of Suffolk director of IT Peter O’Rourke, said the biggest challenge is that firms often don’t know what data they collect, or where it is held.
“The struggle is they think it can be solved by IT and it cannot,” said Stobart. “The data owner needs to look at their data, and say whether it’s relevant for them to keep.”
70% of customers plan to demand to see their data
Privacy chief Denham hits out at GDPR scaremongering
Firms face bombardment of data requests under GDPR
GDPR compensation to dwarf £30bn bill for PPI claims
Half of all firms still not compliant with 1998 data laws
Data compensation claims ‘could run into millions’