The General Data Protection Regulation (GDPR) and Data Protection Bill will be among the key regulatory changes set to take place in 2018. As media coverage of these changes raises awareness, there is likely to be a noticeable increase in claims and complaints from individuals seeking to rely on the rights and protections.
With the large volume of sensitive data held by financial institutions, they must take note of the potential risks and prepare themselves accordingly, particularly following the recent ruling in the Morrisons group litigation claim.
Considering the two forms of financial consequences for data breaches under the GDPR, the first being the right to compensation and/or damages for affected individuals and the second being fines from the Information Commissioner’s Office (ICO) of up to 4% of an organisation’s annual global turnover or €20m (£17m), the costs of data breaches for financial institutions are likely to be significant.
To avoid such penalties, financial institutions should be aware of the main areas of risk that could result in costly litigation and compensation.
- Data breaches
Data breaches are an increasingly common occurrence for businesses, with recent high-profile breaches including Morrisons, Uber and Equifax. As organisations holding large quantities of valuable personal information, financial institutions need to ensure sufficient protections are in place. In the event of a data breach, organisations could face customer complaints to the Financial Ombudsman Service (FOS) and claims for damages from potentially millions of people, on top of ICO fines.
As the group litigation claims against Morrisons highlight, even modest damages awards per person could result in substantial pay-outs if a significant number of people have been affected. The judgment in the Morrisons case also means that organisations can be held liable for their employees’ actions, notwithstanding that they may have taken appropriate steps to comply with data protection regulations.
- The right to be forgotten
Individuals can request their personal data be erased under the “right to be forgotten”. This new right is limited but there could be conflict between it and a financial institution’s requirement to keep records for regulatory reasons.
These regulatory requirements will prevail over requests to erase personal data, but it can be expected that numerous claims will be made over the failure to erase data by individuals who disagree with the application of these competing obligations.
- Failure to rectify incorrect data
Under the GDPR, organisations will be required to maintain accurate and up-to-date personal data. Following a request to correct inaccurate data, organisations will have one month to comply (or three months in complicated cases). Financial institutions already face numerous claims from individuals who consider that their credit rating has been harmed by incorrect credit reporting. As individuals’ awareness of their rights increases as a result of media coverage, financial institutions and other organisations are likely to see a rise in the number of claims faced. The rise in claims could in part be fuelled by potential interest from consumer protection groups.
In addition, it’s possible that incorrect data could lead to further breaches, for example where sensitive information is sent to the wrong address. Such an error could result in complaints to both the ICO and FOS, as well as a legal claim.
- Failure to provide portable information
The right to data portability – providing individuals with a copy of their personal data (with some exemptions) – is a new right under the GDPR. Under this right, data will have to be provided in a structured, commonly used and machine-readable form within one month of request. This could result in claims over whether the portable data provided meets the GDPR’s technological requirements and disputes as to whether an organisations’ use of exemptions are valid.
- Disputes on responses to Data Subject Access Requests (DSARs)
DSARs are already frequently used in litigation to obtain early disclosure of documents and as people have gained a greater understanding of their rights, the use of DSARs against financial institutions has increased. The removal of the £10 fee and the reduction of the time to respond from 40 days to one month mean that this trend will likely continue and organisation’s internal processes will be tested further and could lead to challenges as to whether the data provided complies with legislation.
To date, the ICO’s ability to impose fines of 4% of annual global turnover or £17m (whichever is higher) has captured most of the headlines. While such fines certainly present a risk, the ICO has stated that it intends to adopt a pragmatic approach to the enforcement of the GDPR. Organisations will however need to be conscious of the dual risk of fines from the ICO and claims from individuals.
The Court of Appeal’s landmark ruling in Google v Vidal-Hall established that individuals whose data had been incorrectly handled may be entitled to compensation for “mere distress” – this right is now enshrined in the GDPR and makes compensation pay-outs far more likely. Before this judgment, financial loss from data mishandling had to be proven in order to claim damages.
With data breaches potentially affecting millions of individuals becoming increasingly common and with “mere distress” being sufficient to claim damages, it becomes clear why banks should remain vigilant on the GDPR front. Add to this the fact that organisations can be held liable for the actions of their employees and it’s not hard to see how the GDPR could increase litigation against banks.
Richard Hayllar is a partner at UK law firm TLT.