What’s changed since GDPR?

The introduction of the General Data Protection Regulation (GDPR) in May 2018 coincided with a significant increase in reported data breaches. So it seems that the GDPR has created greater public awareness about individual rights. But what else has changed since the GDPR came into force, and are things any better for you when it comes to data privacy?

Are organisations being fined more?

Not yet.

So far, most of the data breaches investigated by the Information Commissioner’s Office (ICO) happened under the old data protection legislation. Under the Data Protection Act 1998 and Privacy and Electronic Communications Regulations, the maximum fine is just £500,000, and even that wasn’t handed out often. In fact, in September 2018 Equifax was the first company to get the full £500K imposed.

At Hayes Connor Solicitors we are paying close attention to how the ICO is responding to new data breaches and will report the impact of the GDPR once it starts to make a difference.

Are more data breach compensations claims being made?

There has undoubtedly been an increase in the number of legal firms looking to take on data breach compensation claims. And that’s understandable as in many instances, the response of organisations following data breaches has been woefully lacking.

Too many big companies seem to think they can get away with just saying sorry.

However, such an absence of care over the very real impact of a data breach should not be tolerated or accepted. And unless this changes, more and more people will be forced to consider legal action if they have any chance of getting compensation for their losses.

But, a word of warning; data privacy is still a relatively new and evolving area of law. And, if you want to claim compensation, you should use a professional data breach lawyer with expertise in this field.

The last thing you want is to appoint a claims management company that is only interested in getting a result as quickly as possible (and making a quick fee). This is important because the full impact of a data breaches is not always immediately apparent. Indeed, at Hayes Connor, we have seen cases where the losses only start to occur three to six months later.

At Hayes Connor Solicitors, we have received more than 2,500 enquiries from customers who have suffered as a direct result of a high profile data breach. That’s in the last six months alone.  We are also currently dealing with over 200 enquiries per month from consumers. Complaints range from the inappropriate use of email to the deliberate or inadvertent disclosure of sensitive, financial, and medical information to third parties.

We understand the long-term impact that a data breach can have on you and your family. And we know what it takes to make a successful data breach claim that ensures you are fully compensated.

Are more data subject requests being made?

Under the UK’s data protection legislation, you have the right to find out if an organisation is using or storing your personal data. To exercise this right, all you have to do is ask for a copy of this data. This is called making a subject access request (SAR).

Since the introduction of the GDPR, most companies have seen an increase in the number of requests being made. And, in some cases, these requests are made pending legal action from ex-employees or customers following a data breach.

Find out how to make a subject access request.

Are organisations improving their data privacy processes?

While we still have a long way to go, anecdotal evidence does seem to suggest that more companies are becoming aware of their data protection responsibilities; with many improving their internal governance in response.

But there are still too many companies who don’t take their obligations seriously.  And the big players are just as guilty. For example, in October this year, Heathrow Airport Ltd was fined £120,000 by the ICO for inadequate data security controls. Following its investigation into the resulting breach, the ICO found that only 2% of the company’s staff had been trained in data protection.

So, while the ICO hasn’t yet come down hard on any organisation under the GDPR, we expect that it won’t be long before they make an example out of someone. That being said, the ICO has also said that it will continue to take a measured approach as long as companies can demonstrate they have tried to do the right thing. While we understand this approach, we also believe that the ICO requires education on the lasting a full impact of data breaches. Because unless this happens, the experience of the individual will continue to be downplayed.