GDPR: Get ready for Data Protection ambulance chasers

The Information Commissioner, Christopher Graham, has called the potential fines imposed under the new General Data Protection Regulation (GDPR) “eye-watering” – up to €20 million or 4% of your global turnover.

The GDPR is likely to be enforceable Summer 2018. There will be a lot of column inches written on the subject during that time – read by marketing professionals and consumers alike.

There’s two aspects to this issue. Firstly, law firms will scramble to offer advice on protecting you from the EU fines.

Christopher Graham said at the recent DMA Data Protection summit “The sky’s the limit for enforcement. This is getting serious.” Three days later, he issued the largest fine yet (£350,000) against a little known firm called Prodial Ltd. Mr Graham is right, this is getting serious.

But there is a second aspect to consider – consumers encouraged to claim compensation for data protection breaches. Encouraged by solicitors specialising in data laws. A quick search on Google for ‘no win no fee data protection solicitors’ shows an alarming number of firms – and the numbers are bound to increase.

A new breed of Data Protection ambulance chasers are being born.

Look at how an entire (and sometimes annoying) industry was created around the subject of PPI Claims. I would suggest that winning a data protection case will be easier for consumers, and therefore their claims may be more prevalent.

The Information Commissioner cannot award compensation, even if he believes an organisation has broken the law. So consumers may first ask directly for compensation, and if you don’t agree they can take it to the Small Claims Court (accompanied by their ‘no win, no fee’ solicitor). If you lose, your company will have a County Court Judgement against it (see John Lewis Plc vs Mansfield).

The compensation amounts are likely to be small, the real issue is the damage a County Court Judgement does to your credit rating and the embarrassment it causes your brand. Losing two or three data protection breaches in court will quickly erode trust in your name.

It’s time to brief your senior management team about the impact of the forthcoming GDPR and ensure all staff that use customer data (everyone?) are aware of their responsibilities. Remember, this is getting serious.

---------------------------------------------------------------------------------------------------

This post is part of a series about the new EU data law (General Data Protection Regulation). There is a supprting post on my blog titled ‘10 must-know facts about the GDPR‘.