With the introduction of the General Data Protection Regulations (GDPR), how close are we to a culture of GDPR compensation claims? With so many companies within the EU holding personal data, and an unprecedented challenge to adhere to the regulations, how exposed will companies be to future claims? Individuals may not have the time or energy to deal with such claims and many failures will go unchallenged, but delegating such activity to law firms and new businesses established for this very purpose could place an increased amount of stress on businesses to comply with requests. This also brings up the question of how cyber insurance policies will be adapted to protect against such claims; a new level of litigation in the making perhaps.
The traffic accident compensation culture has evolved quite significantly in the UK and the number personal injury claims is at an all-time high. They have increased to the point that within a very short time following an accident, claims management companies are lining up to take on cases. Television channels and websites are often inundated with commercials offering no-win no-fee arrangements and insurance policies either include legal support or make it available to customers as an add-on option. The following are indicators of what is emerging, although the coffee machine chatter on the subject shows a difference of opinion on what the market place will look like 2 years from now.
- Businesses are increasingly using a thought leadership approach to demonstrating understanding and credibility in data protection related issues, particularly in the insurance and litigation spaces. Generally, businesses and individual professionals are positioning themselves as experts in the field.
- Published reports and surveys indicate that large numbers of businesses are unprepared for GDPR compliance, suggesting the number of potential claims will be high
- Issues which lead to businesses being open to litigation are highly likely to involve many customers and less likely to be one or a handful of individuals. The lack of compliance is more likely to be systemic. Rather than an individual making a claim and approaching a law firm, litigation is more likely to be driven by events taking place or failures identified, then finding the customers willing to jump on the bandwagon.
- There is a clearly a visible compensation culture which is growing. This is not intended to say that people are not entitled to make a claim if they have suffered a loss, but rather it illustrates a change in attitude. What was once (in my lifetime) a ‘get up and move on’ approach, it is more likely now that someone suffering a loss will first be thinking ‘can I claim compensation’.
- Politicians have complained about the adverse effects of excessive litigation on the economy and on society. Politicians have also given undertakings that if elected into government, they would ‘cut out the cancer of litigation’.
- New legislation is being introduced which gives people the right to compensation in the event that a loss is suffered. It is reasonable to expect that such rights will be exercised, and depending on the magnitude at which this happens, the process will need to be managed.
These are indicative of a growing risk to companies who manage large quantities of personal data and have an obligation to protect it. Also, there is a growing opportunity for existing companies and new companies to be established to deal with both protecting organisations and dealing with litigation against failures to comply. A follow-up article will be published to show how GDPR-related claims evolved in practice at some point after May 2018; watch this space! If it turns out that I am completely wrong with this, I will owe my colleagues an undetermined quantity of beer.
Robert is an information security consultant with over 20 years of experience across a diverse range of organisations, both in the UK and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Robert is contactable directly through LinkedIn.