Handling the consequences of a GDPR breach; top tips

Four years on, and many businesses are still getting to grips with the Data Protection regime that came into effect with the UK General Data Protection Regulations (GDPR).

Some well-known companies have been stung for not following the regulations, including a whopping €746m fine for Amazon last July (assumed to relate to cookie consents) and a €255m levied against WhatsApp in September (for an unclear privacy policy).

As these fines reflected turnover, it is unlikely any of you need to be fearful of such amounts, but your businesses could still face consequences for failing to follow the GDPR, especially if you are not using cookie consents correctly, have an unclear privacy policy or are caught by a data hack.

Over the last four years our dispute resolution (DR) team has helped a number of companies navigate the consequences of breaching GDPR, and a few individuals uphold their data rights. Here are a few of our top tips.

Beware the Cookie Monsters

There are individuals out there who have more time on their hands than most and use that time to visit websites solely for the purpose of testing the cookie protocols.

If the website does not ask for consent to hold data, for example, for marketing purposes, they wait to see if that data is shared with the likes of Facebook who will use it to send targeted ads. As soon as this occurs, they present the evidence of the breach of GDPR and the Privacy and Electronic Communications Regulations (PECR) and demand compensation.

Some of these have taken website owners to court. After a 14-month legal battle, one was awarded damages of £150, £285 court fees and £95 to cover his lost day’s wages — a total of £530. The website owner most likely spent 20 times that resisting the claim.

To avoid such expensive entanglements, make sure your cookie consents are in order. But should the worst happen, seeking an early settlement will save a lot of inconvenience

Act quickly and honestly

If a data breach occurs, and the impact is likely to be significant for the data subjects, you must report the breach to the Information Commissioner’s Office (ICO) within 72 hours of the breach.

The more information you give and the more you can demonstrate you did everything possible to avoid the breach (training, updated policies, risk auditing, impact assessments) the less likely it is the ICO will consider a fine. But this does not stop “claim farming.”

Watch out for “claim farmers”

Searching “data breach” in your web browser is likely to return a number of adverts from law firms offering to assist you recover damages for a data breach. These firms invest in targeted campaigns on social media to attract data breach victims.

Under the GDPR, a data subject is entitled to compensation for “non-material damage” as a result of a data breach. This refers to mental distress or anxiety caused by the loss of data. In the process of attracting clients, it is conceivable the language used can convince the data subjects that such anxiety existed.

The attraction for the claim farmers is the financial uplift on costs. It used to be a tactic to claim the data breach also amounted to mis-use of private information which potentially allows for this uplift in costs.

However, the recent case of Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) struck out the misuse elements of a data breach claim following a cyber attack, denying the recoverability to the uplift and the insurance taken out after the event to protect against adverse costs. This decision is likely to encourage claimants to settle out of court, but they will seek to recover whatever they can in respect of costs.

Conclusion

Each case will need to be determined on its own facts, but it is preferable to resolve the dispute amicably and swiftly. The tactics to achieve that will depend on the number of people affected and the nature of the data lost, so one size does not fit all and expert advice is needed.