GDPR - what now?

30th July 2018 | Professional support , Regulation | Data protection

Tim Musson, Convener of the Law Society of Scotland’s Privacy Law Committee, discusses General Data Protection Regulation (GDPR) compliance in the post-enforcement world.

The 25 May came, and it went, the world didn’t end, and nobody was fined €20M. Does this mean that the General Data Protection Regulation (GDPR) is just a damp squib?

Since the GDPR has been enforced there hasn’t been a noticeable increase in regulatory action taken by the Information Commissioner’s Office (ICO).There have been a few cases pursued under the Data Protection Act 1998. A typical ICO investigation can take anything upwards of six months before any action is taken, so we can still expect ‘legacy’ decisions for a while.

It is worth noting, however, that no win, no fee law firms have started to operate in this sector, pursuing claims for compensation, and this will drive compliance. For those with relatively large databases of data subjects this could well prove much costlier than any fine imposed by the ICO, and may be very significant even for personal data breaches involving smaller numbers of data subjects.

Two examples will illustrate this. Recently the ICO fined the Independent Inquiry into Child Sexual Abuse £200,000 for sending an email to ninety individuals making all the recipients’ email addresses visible to each other. This was extremely sensitive data as many of the recipients were victims – an all too familiar type of breach, reminiscent of the 2016 case involving an HIV newsletter. An English law firm is advertising support for victims of the breach on their website on a no win, no fee basis.

Another recent breach was fairly well publicised resulting in personal data of customers of Ticketmaster being exposed. This was a third party supplier breach. Depending on the precise timing of the breach (relative to 25 May), Ticketmaster may be entirely liable or jointly with the supplier. The number of data subjects concerned is unclear, but is certainly several thousand. Another English law firm is advertising its services to pursue claims for this breach (again on a no win, no fee basis), indicating that a likely outcome would be an award of around £5,000 for each data subject.

This is a development which will certainly continue. It is likely that the ICO will be in a position to impose penalties under the GDPR and the Data Protection Act 2018 from around the end of this year. In the meantime, compensation cases in the courts will serve to focus attention.

The GDPR is definitely not just a damp squib.

GDPR blog
Tim Musson, Convener of the Law Society of Scotland’s Privacy Law Committee, explains why the General Data Protection Regulation (GDPR) is all-important for law firms.

GDPR Personal data breaches
Anna Drozd, policy adviser on professional issues at our Brussels Office, explains what personal data breaches are and how to report them under the GDPR.

GDPR legal basis and why it matters
Carolyn Thurston Smith, policy executive at the Law Society of Scotland, explains the legal bases in article 6 of the General Data Protection Regulation (GDPR).

GDPR changes to consent
Domhnall Dods, regulatory solicitor and GDPR expert at Towerhouse and member of the Law Society’s Privacy Law Committee, explains the changes to rules around consent in the General Data Protection Regulation (GDPR).

GDPR data protection officers
Dr Kenneth Meechan, member of the Law Society of Scotland’s Privacy Law Committee, explains the new rules on data protection officers and sets out some important tasks which all law firms should consider.

GDPR

Our guide to data protection from the perspective of a legal practice

Read more

Categories

News Archive

Related articles