25 October, 2021
Data protection laws evolved substantially in 2018 with the implementation of the General Data Protection Regulation (GDPR). In this article we will explore the basic data protection principles, and things to consider when considering bringing a claim against an organisation for breaching data protection laws.
The Data Protection Act 2018 is the UK's implementation of the General Data Protection Regulation (GDPR). Everyone responsible for using personal data (a data 'controller' or 'processor') has to follow strict rules called 'data protection principles'. For example, they must make sure the information is used fairly, lawfully, and transparently. There is stronger legal protection for more sensitive information, such as race, ethnic background, political opinions, and health. There are a few different types of information that could be classified as sensitive data and the examples referred to do not represent an exhaustive list. It is cases involving the disclosure of this data that tend to be more valuable.
There are significant factors to consider when approaching the prospect of bringing a data protection claim against an organisation that are a data controller/processor, we will look at this in more detail within this article.
The GDPR provides you with a right to claim compensation from an organisation if you have suffered damage because of that organisation breaching data protection law. This includes:
You do not have to make a court claim to obtain compensation - the organisation may simply agree to pay it to you. However, if it does not agree to pay, your next step would be to pursue a claim through the court. The court would decide your case. If it agreed with you, it would decide whether the organisation would have to pay you compensation and how much.
Data can either be breached through reckless care and storage of your data, for example not password protecting documents or sending your data to the wrong party, or losing data, as well as through more targeted hacks and data thefts by cybercriminals.
At Forbes Solicitors, we do consider claims for sending out sensitive data to the wrong person, such as medical records, financial information or other data considered to be sensitive, which could cause damage to your reputation or affect your safety
As a rule, we do not deal with claims for:
The distress caused by the breach is the focus when considering compensation for a breach of GDPR. If distress suffered is deemed to be minimal and short lived, the De Minimis principle may apply, limiting or even removing the eligibility for receiving compensation that may have been available. Examples can include a one-off breach that does not involve sensitive personal data which is quickly resolved.
The De Minimis principle is a formulation of a quantitative or qualitative threshold below which notification of a personal data breach is not mandatory, because the risk to the rights and freedoms (including the respect for private life and family life) of data subjects will be negligible.
There will be instances where even where a person is notified of a breach, it does not meet the threshold of seriousness. It might be described as 'negligible'.
Factors considered which are likely to justify an award of compensation and the likelihood legal costs will be recovered can be as follows:
Factors that may adversely affect compensation could include the following:
If answers to the above factors are minimal, for example, the data was not sensitive data, and the breach hasn't affected your health, lifestyle, work, relationships, and the organisation has taken steps to correct the breach once they became aware of it, then the De Minimis principle may apply. This means that there will be effectively 'no/minimal loss' or 'no/minimal distress' caused and therefore no basis for an award of compensation, and therefore pursuing a claim against the organisation would not be economical.
The claimant must prove their claim and provide evidence of distress.
In essence, we specialise in getting compensation for individuals where the wrongful disclosure has significantly impacted their lives.
If a claim is pursued by commencing court proceedings, the amount of compensation awarded will be assessed by the judge hearing the case, who will take into account all the circumstances. This will include how serious the infringement was and its impact on you, particularly when assessing the distress you have suffered.
To be successful, you must demonstrate a breach that has caused some damage. It is not enough simply to have a breach. You must prove the distress and any loss. Medical records may assist along with documents and receipts to prove other financial loss.
If the claim court proceedings become necessary the court will look at the complexity and value of the case and decides which 'track' to place it in. If it is allocated to the small claims track because it is of limited value and complexity neither party will be recovering their costs, only their reasonable disbursements if they win.
When a case is placed in a higher track the court should award costs to you if you win. It can also award costs against you if you lose. Those costs can be significant. We should be able to get insurance to cover those costs. If you win the insurance premium is usually recoverable from the other side providing the terms of insurance have been followed and the case involves the misuse of your private information or breach of confidence. Insurance is available for pure GDPR claims however the premium is not recoverable and would have to be paid out of damages.
For more information contact John Bennett in our Data Breach Claims department via email or phone on 01254 872111. Alternatively send any question through to Forbes Solicitors via our online Contact Form.
Learn more about our Data Breach Claims department here