The birth of GDPR claims management

With the introduction of the General Data Protection Regulations (GDPR), how close are we to a culture of GDPR compensation claims? With so many companies within the EU holding personal data, and an unprecedented challenge to adhere to the regulations, how vulnerable will companies be to future claims? Individuals may not have the time or energy to deal with litigation. Many many failures will go unchallenged, but delegating such activity to law firms and new businesses established for this very purpose could place an increased amount of stress on firms to comply with requests. Also, how will cyber insurance policies will be adapted to protect against such claims; a new level of litigation in the making perhaps.

The traffic accident compensation culture has evolved quite significantly in the UK, and the number of personal injury claims is at an all-time high. They have increased to the point that almost immediately following an accident, claims management companies are lining up to take on cases. Television channels and websites inundate with commercials offering no-win-no-fee arrangements and insurance policies either include legal support or make it available to customers as an add-on option. The following are indicators of what is emerging, although the coffee machine chatter on the subject shows a difference of opinion on what the market place will look like two years from now.

  • Businesses are increasingly using a thought leadership approach to demonstrating understanding and credibility in data protection related issues, particularly in the insurance and litigation spaces. Generally, companies and individual professionals are positioning themselves as experts in the field.
  • Published reports and surveys indicate that large numbers of businesses are unprepared for GDPR compliance, suggesting the number of potential claims will be high
  • Issues which lead to businesses being open to litigation are highly likely to involve many customers and less likely to be one or a handful of individuals. The lack of compliance is more likely to be systemic. Rather than an individual making a claim and approaching a law firm, litigation is more likely to be driven by events taking place or failures identified, then finding the customers willing to jump on the bandwagon.
  • There is a growing compensation culture within the UK. Not to say that people are not entitled to claim if they have suffered a loss, but rather it illustrates a change in attitude. What was once (in my lifetime) a ‘get up and move on’ approach, it is more likely now that someone suffering a loss will first be thinking ‘can I claim compensation’.
  • Politicians have complained about the adverse effects of excessive litigation on the economy and society. Politicians have also given undertakings that if elected into government, they would ‘cut out the cancer of litigation’.
  • Many new pieces of legislation are being introduced, which gives people the right to compensation if they suffer a loss. It is reasonable to expect that people will exercise such legal rights, and depending on the magnitude at which this happens, the process will need effective management.

These are indicative of a growing risk to companies who manage large quantities of personal data. Also, there is an increasing opportunity for existing companies and new companies to emerge to deal with both protecting organisations and to deal with litigation against failures to comply.

How much info is too much? (Part 4)

Address the issue of what information to provide by defining the overall process for dealing with new clients. This process doesn’t need to be complicated and having a process to follow will prevent digression into off-topic discussions; importantly, avoiding all conversations about previous clients and focussing on what the client needs now and in the future. Having your process in place reduces the risk of being drawn into following someone else’s.

  1. The client shows an interest in your services because they need help to solve a specific problem
  2. Ask specific questions about what services are required and what problems the client faces, which require attention. Depending on the complexity, it may be necessary to arrange a consultation to discuss the specific requirements.
  3. Provide a summary of discussion points and conclusions, a proposal to deliver, along with costs and timescales
  4. Further consultation and refinement of the proposal may be necessary
  5. Client accepts or rejects the proposal

The point with this process is to gain credibility from taking a professional approach to solving the potential client’s problems, not by demonstrating what you delivered to previous clients. Although lots of companies and individuals have similar issues, clients don’t want their laundry washed and dried in public.

Companies understandably want to undertake a measure of supplier due diligence, so it stands to reason that suppliers should apply the same level of scrutiny to potential clients. In the above process, if followed through, you can quickly filter out phishing attempts, and the discussion on requirements will have taken place, and done so without discussing confidential information.

In parallel to discussing requirements, acquire additional information to verify that the client and their needs are genuine. Client due diligence is more than checking to make sure you are likely to get paid for the services provided. Gather facts about the client to make sure they are who they claim to be and assess risks such as money laundering, terrorist financing, impersonation and identity fraud. Check sources such as public brochure websites, due diligence websites and public registers such as companies house.

To conclude on confidential information, potential clients whose primary interest is in understanding what services you delivered to previous clients and no interest in discussing their current predicaments, should be treated with a level of suspicion. However, not all will be fraudulent with malicious intent; there are plenty of market research companies that are skilled at extracting information while pretending to be potential customers.