Responding to the inevitable rise of "No win, no fee" GDPR claims
One important, but often overlooked introduction of GDPR was the right for data subjects to claim compensation for a breach even where there is no demonstrable material loss. These costs are significantly more likely to be incurred by a data controller than a penalty from a statutory body and they can be very significant.
GDPR states that individuals have the…
right to claim compensation from an organisation if you have suffered damage as a result of it breaking data protection law. This includes both “material damage” (e.g. you have lost money) or “non-material damage” (e.g. you have suffered distress).
Inevitably, this has attracted specialist “no win, no fee” legal services designed to maximise the return for the data subject. Without having to demonstrate material loss the conversation is around how much compensation rather than if it’s owed.
What can it cost?
It’s hard to definitively value intangible losses however it is fair to assume that data subjects will value them higher than a data controller will. Some legal firms will claim that the typical ‘distress’ payment is in the region of £750-£1000 with anything involving financial, or medical significantly higher. Another real life example from experience is a misdirected bank statement with no financial losses - the ‘standard’ offer from the bank to settle was £250, with the final agreed figure nearer £500.
With a breach involving medical data potentially attracting £5000+ and with a six year statute of limitation on claims, this will provide rich pickings for some time to come.
On top of these direct costs there are also of course the indirect cost of handing and defending a civil claim, conservatively this may double the per capita cost.
What should you do about it?
You can’t stop people making claims for compensation, it is their right. It’s also not financially viable to pay legal fees to defend every small claim, however there are some actions that you should take:
1) Understand the cost of risk
Only with a clear understanding of the value of the risk that you are carrying can you correctly assign resources and budget to appropriately address the risks (or to choose to accept the risk). A great source of data to help with the valuation of data breaches costs is the IBM “Cost of a Data Breach” report. This report analyses the costs of breaches in different sectors for breaches between 10,000 and 100,000 records. It also provides probabilities of different sized breaches and so can help with risk valuation.
2) Reduce the LIKELIHOOD of a breach
Prevention is so much better than cure - the per-capita costs of breaches are rising at more than 5% per annum and show no signs of slowing. With a clear understanding of the cost of risk that is being carried it’s much easier to make the business case for investing in privacy tech and procedures that reduce the likelihood of breach. With the an average breach (22k records) now costing in excess of £3M the return on investment add up well.
3) Be proactive on complaints and compensation
The level of compensation and the costs of settling will increase dramatically if a solicitor is involved. Being fair and proactive, dealing with a complaint well and promptly by offering appropriate compensation can help contain the costs. Putting in procedures that enable issues to be resolved in Customer Service teams can significantly reduce the per capita cost of a breach. It will also reduce the risk of an escalated complaint to the ICO and the potential costs associated with a fine, or other enforcement action.
4) Tighten up the legals
Given the six year statute of limitation you will want to ensure that any settlement you make is actually “final and full”. Ask your legal advisers to check your Settlement Agreement wording to ensure that the issues are closed to the best of your ability.
It sounds scary - can I have some help?
In practice this isn’t anything new to be scared of. it simply reflects the direction of travel with regards Data Privacy. Historically most organisations have significantly undervalued data privacy and with a newly informed and emboldened society we are are able to now quantify that risk-investment gap.
Claims are not to be afraid of and they can’t be avoided, so instead they should be well managed and the risks minimised. If you would like some help in better understanding your own risk profile, in valuing the cost of risk that you are carrying, or in building a business case for an appropriate privacy program then drop me an email (oliver@oliverwestmancott.com) or call on (0)20 3393 1899.