The General Data Protection Regulation (GDPR) and Data Protection Bill will be among key regulatory changes in 2018. As media coverage of the changes raises awareness, there is likely to be a rise in claims and complaints from individuals, writes TLT partner Richard Hayllar
With the large volume of sensitive data held by financial institutions, they must take note of the potential risks and prepare themselves accordingly, particularly following the recent ruling in the Morrisons group litigation claim.
Considering the two forms of financial consequence for data breaches under the GDPR, the first being the right to compensation and/or damages for affected individuals, and the second being fines from the Information Commissioner’s Office (ICO) of up to 4% of an organisation’s annual global turnover or €20m ($24.5m), the costs of data breaches for financial institutions are likely to be significant.
To avoid penalties, financial institutions should be aware of the main areas of risk:
- Data breaches
Data breaches are increasingly common for businesses, with recent high-profile examples including Morrisons, Uber and Equifax.
As holders of large quantities of valuable personal information, financial institutions need to ensure sufficient protections are in place. In the event of a breach, organisations could face customer complaints to the Financial Ombudsman Service (FOS) and claims for damages from potentially millions of people, on top of ICO fines.
As the group litigation claims against Morrisons highlight, even modest damages awards per person could result in substantial payouts if a significant number of people have been affected. The judgment in the Morrisons case also means organisations can be held liable for employees’ actions, notwithstanding that they may have taken appropriate steps to comply with data protection regulations.
- The right to be forgotten
Individuals can request their personal data be erased under the ‘right to be forgotten’. This right is limited, but it could conflict with a financial institution’s requirement to keep records for regulatory reasons.
These regulatory requirements will prevail over requests to erase personal data, but it can be expected that numerous claims will be made over the failure to erase data by individuals who disagree with the application of these competing obligations.
- Failure to rectify incorrect data
Under the GDPR, organisations will be required to maintain accurate and up-to-date personal data. Following a request to correct inaccurate data, organisations will have one month to comply, or three months in complicated cases.
Financial institutions already face numerous claims from individuals who consider that their credit rating has been harmed by incorrect credit reporting. As individuals’ awareness of their rights increases as a result of media coverage, financial institutions and other organisations are likely to see a rise in the number of claims faced. The rise in claims could in part be fuelled by potential interest from consumer protection groups.
In addition, it is possible that incorrect data could lead to further breaches, for example where sensitive information is sent to the wrong address. Such errors could result in complaints to both the ICO and FOS, as well as a legal claim.
- Failure to provide portable information
The right to data portability – providing individuals with a copy of their personal data, with some exemptions – is a new right under the GDPR.
Under this right, data will have to be provided in a structured, commonly used and machine-readable form within one month of request. This could result in claims over whether the portable data provided meets the GDPR’s technological requirements, and disputes as to whether organisations’ uses of exemptions are valid.
- Disputes on responses to Data Subject Access Requests (DSARs)
DSARs are already frequently used in litigation to obtain early disclosure of documents, and as people’s understanding of their rights has risen, use of DSARs against financial institutions has increased.
The removal of the £10 ($14) fee and the reduction of the time to respond from 40 days to one month mean this trend will likely continue. Organisations’ internal processes will be tested further, and could lead to challenges as to whether the data provided complies with legislation.
To date, the ICO’s ability to impose fines of 4% of annual global turnover or £17m, whichever is higher, has captured most of the headlines.
While such fines certainly present a risk, the ICO has stated that it intends to adopt a pragmatic approach to the enforcement of the GDPR. Organisations will, however, need to be conscious of the dual risk of fines from the ICO and claims from individuals.
The Court of Appeal’s landmark ruling in Google v Vidal-Hall established that individuals whose data had been incorrectly handled may be entitled to compensation for ‘mere distress’ – this right is now enshrined in the GDPR and makes compensation payouts far more likely. Before this judgment, financial loss from data mishandling had to be proven in order to claim damages.
With data breaches potentially affecting millions of individuals becoming increasingly common, and with ‘mere distress’ being sufficient to claim damages, it is clear why banks should remain vigilant on GDPR.
Add to this the fact that organisations can be held liable for the actions of employees and, it is not hard to see how the GDPR could increase litigation against banks.