The sky’s the limit – compensation for data breaches could take off

We take the security of your data extremely seriously. 

Do you recognise this phrase?

Consumers in general have been receiving an increasing number of letters or emails that include this phrase (or something similar) in recent months.   Chances are the communications have come from businesses that have suffered data security breaches apologising to their customers for the security of their data having been compromised in some way.  Only last week, British Airways Chief Executive announced that the company had suffered a data breach affecting thousands of its customers who had made bookings online.   Shares in IAG, BA’s parent firm, dropped on the announcement, customers have been taking to social media to voice their anger whilst scrambling to cancel payment cards and there is now talk of a £500m group action by disgruntled customers.

There is a very good reason for the significant increase in notifications.  This is because the rules on data breach notification changed significantly on 25 May 2018.  The new rules mean:

  • if a breach is likely to result in a risk to the individuals affected, the data controller must notify the Information Commissioner’s Office without undue delay and, where possible, within 72 hours of becoming aware of a personal data breach.
  • processors (i.e. organisations that process personal data on behalf of controllers) must inform controllers without undue delay on becoming aware of a personal data breach.
  • those poor individuals affected must be told by the controller without undue delay where the breach is likely to result in a high risk to them.

These new obligations require businesses to be much more proactive when dealing with, and responding to, personal data breaches.  Even allowing for the potential significant harm to a business’s reputation (and share price), the potential financial ramifications for getting things wrong are very severe.  The ICO can now apply fines up to the greater of 20 million euros or 4% of a business’s total worldwide annual turnover.  Individuals also have the right to seek compensation for damage suffered and group actions are likely to become increasingly common.

There are also important compliance obligations to bear in mind when handling the fall-out from a data breach.  For example, when informing the ICO, affected businesses must provide the ICO with certain minimum information.  They must also maintain a record of all personal data breaches.   As well as ensuring communications to individuals describe the nature of the breach in clear and plain language, such notices must also include minimum information.

Are you prepared?

As a business, ask yourself if you are prepared for managing the fall-out from a data protection breach?

  • Do your staff know how to escalate a security incident within your organisation?
  • Will your staff recognise a personal data breach?
  • Do you have a data breach response plan in place?
  • Who will decide whether the personal data breach should be reported and, if so, to whom?
  • Which individuals have responsibility for managing breaches?
  • How would you cope with a flood of claims or a group action for compensation?
  • Do you know what information the ICO requires?
  • Do you know what affected individuals have to be told?
  • Do you log all security incidents?
  • Do your contracts with your service providers deal with what should happen in the event of an incident?

Our team of data protection experts have significant experience of advising organisations on preparing data breach response plans and managing and responding to personal data breaches.

Latest updates from @MacRoberts

  • Would you like to work at one of Scotland’s leading law firms? We currently have a number of opportunities availabl… 21/06/2021
  • We currently have a vacancy for a Customer Due Diligence Administrator based in Glasgow or Edinburgh. Please shar… 18/06/2021
  • Maya Forstater received a lot of media attention around her tweets relating to her beliefs about sex, resulting in… 18/06/2021
  • Applications for our traineeships starting in 2023 are now open! Get your legal career off to the best possible sta… 18/06/2021
  • RT @DundeeAndAngus: Leading Scottish commercial law firm, @MacRoberts has advised BAM on the ‘game-changing’ Atlantic Square development in… 16/06/2021
  • This week on our new IGTV mini-series, giving an insight into what it’s like to begin a legal career during the pan… 16/06/2021
  • Self-employed status: What does the Uber case really mean? 🚖 Kenny Scott explains what the recent ruling means for… 16/06/2021
  • What is the Scottish #gin industry doing to improve #sustainability? Following #WorldGinDay celebrations over the w… 15/06/2021
  • The European Commission has adopted & published versions of two new sets of Standard Contractual Clauses. What ch… 15/06/2021
  • What impact could Ireland High Court's decision to reject an action by Facebook to block an inquiry by the Irish… 14/06/2021
  • Wishing all of our followers a happy #WorldGinDay! ICYMI: Earlier this week, we were delighted to catch up with… 12/06/2021
  • We're #hiring! We have a #vacancy for a Senior #Solicitor or Associate to join our IP, Technology & Commercial team… 10/06/2021
  • Dealing with an employee's misconduct when that employee contends it is linked to a disability can be tricky - read… 09/06/2021
  • MacRoberts' have launched a new IGTV mini-series, giving an insight into what it’s like to begin a legal career dur… 09/06/2021
  • Scotland's new #landownership transparency register - the Register of Persons Holding a Controlled Interest in Land… 09/06/2021