Data Protection and why it matters to your business
Awareness of Data Protection and the legislation surrounding it has been gradually increasing over the last decade and received a further degree of attention following the implementation of the Data Protection Act and the General Data Protection Regulations in 2018. Whilst many businesses will be well aware of their Data Protection duties and will take extensive steps to safeguard the data that they are charged with handling, inadvertent acts of human-error remain a very real risk.
The better the Data Protection policy and the more protective measures that are implemented, the less likely it is that mistakes or errors will occur. The quicker an error is rectified or its effects mitigated, the less the impact on the data subject and the data controller. When mistakes do occur, they can be costly and reputationally compromising.
Inadvertent data breaches can attract significant fines from the Information Commissioner’s Office (ICO) and potentially lead to compensation claims against the entity that has allowed the breach to occur. Examples of a personal data breach include:
- Sending personal data to the wrong recipient via e-mail;
- Loss of laptops or other mobile devices which hold personal data;
- Hacking of passwords, e-mail accounts, networks and systems; and
- Loss or theft of hard copies which include personal data.
Upon notification of a data breach, the ICO will undertake a preliminary investigation to determine whether any further action is required. The ICO will be looking at whether the breach could and should have been prevented had proper policies and procedures been in place to avoid the risk of such an incident occurring. In the case of a minor inadvertent breach and in circumstances where appropriate steps have been taken to mitigate the breach, the ICO may decide to take no further action as long as it can be satisfied that the appropriate steps have been taken to avoid such an error occurring again. If the ICO considers the breach to be serious enough or is dissatisfied with the organisation’s response to the breach, the ICO can impose fines of up to £17.5 million or 4% of annual global turnover.
A further concern is the rise in law firms looking to represent claimants on a no win no fee basis in bringing claims for damages arising from inadvertent personal data breaches. Whereas previously under data protection legislation, there was a requirement for a claimant to show “pecuniary loss” arising from a data breach, that requirement is no longer present. This means that claimants can now bring claims purely for “distress” caused by inadvertent disclosure of their data.
The concept of “distress” can be difficult to assess and damages can be hard to quantify as a result and the majority of the leading cases in this area do not address this issue. Often claimant solicitors will seek to include a number of other ancillary claims in order to bolster the level of damages recoverable from any one claim. Legal costs will also likely be claimed.
With appropriate policies in place, a business should be able to significantly reduce the risk of inadvertent disclosures, as long as long as staff fully comply with such policies. Examples of risk-reducing measures include; peer-checking of e-mails and letters, a secure e-mail system that allows for revocation of access to a particular e-mail and telephoning a data subject to check their most up-to-date address before sending anything in the post.
Should a claim be intimated or threatened by a claimant whose data has been the subject of a breach, data controllers or processors may wish to make contact with a specialist firm of solicitors that can assist with responding to that claim with a view to reducing the levels of compensation payable and avoiding or reducing any associated costs liability.
In summary, businesses and public-sector bodies will no doubt wish to take extensive steps to guard against the risk of data breaches occurring in the first place but, should the worst occur, a specialist firm of solicitors can assist in reducing or avoiding the consequences of such an incident.