Tim Musson, Convener of the Law Society of Scotland’s Privacy Law Committee, discusses General Data Protection Regulation (GDPR) compliance in the post-enforcement world.
The 25 May came, and it went, the world didn’t end, and nobody was fined €20M. Does this mean that the General Data Protection Regulation (GDPR) is just a damp squib?
Since the GDPR has been enforced there hasn’t been a noticeable increase in regulatory action taken by the Information Commissioner’s Office (ICO).There have been a few cases pursued under the Data Protection Act 1998. A typical ICO investigation can take anything upwards of six months before any action is taken, so we can still expect ‘legacy’ decisions for a while.
It is worth noting, however, that no win, no fee law firms have started to operate in this sector, pursuing claims for compensation, and this will drive compliance. For those with relatively large databases of data subjects this could well prove much costlier than any fine imposed by the ICO, and may be very significant even for personal data breaches involving smaller numbers of data subjects.
Two examples will illustrate this. Recently the ICO fined the Independent Inquiry into Child Sexual Abuse £200,000 for sending an email to ninety individuals making all the recipients’ email addresses visible to each other. This was extremely sensitive data as many of the recipients were victims – an all too familiar type of breach, reminiscent of the 2016 case involving an HIV newsletter. An English law firm is advertising support for victims of the breach on their website on a no win, no fee basis.
Another recent breach was fairly well publicised resulting in personal data of customers of Ticketmaster being exposed. This was a third party supplier breach. Depending on the precise timing of the breach (relative to 25 May), Ticketmaster may be entirely liable or jointly with the supplier. The number of data subjects concerned is unclear, but is certainly several thousand. Another English law firm is advertising its services to pursue claims for this breach (again on a no win, no fee basis), indicating that a likely outcome would be an award of around £5,000 for each data subject.
This is a development which will certainly continue. It is likely that the ICO will be in a position to impose penalties under the GDPR and the Data Protection Act 2018 from around the end of this year. In the meantime, compensation cases in the courts will serve to focus attention.
The GDPR is definitely not just a damp squib.