Data Protection Breaches Now Leading to Compensation Claims

29 August 2019

Organisations processing personal data can now face legal action if breaches to the General Data Protection Regulations (GDPR) take place.

Under the GDPR and the Data Protection Acts 1988-2018 (the DPA), for individual data subjects, the people identified or identifiable from the data that is processed (data subjects) are empowered to seek compensation if a breach of the GDPR has affected them (articles 79 and 82 GDPR).

Lack of knowledge of the rights afforded to individuals under the GDPR has led to infringements of these rights, which is in turn leading to direct fines from the Data Protection Commission (DPC), and individual compensation claims.

The following case studies provide examples of the actions brought against organisations which were directly dealt with by the DPC.

How ready is your organisations for a Data Breach?

As well as the actual cost of compensation, legal fees and penalties, there is the reputational damage to your company to factor in. This can lead to the loss of further business and longer-term damage. The question you need to ask is ‘How ready is our organisation for a Data Breach?’.  Are those who deal with the processing of personal data fully aware of data subjects rights under the GDPR?  Is there a process in place to safeguard against data breaches?  Is there a process in place once data breaches have been reported? What steps should be taken to rectify such breaches?

The following serves as a checklist in preparation of a personal data breach:

  • We know how to recognise a personal data breach.
  • We understand that a personal data breach isn’t only about loss or theft of personal data.
  • We have prepared a response plan for addressing any personal data breaches that occur.
  • We have allocated responsibility for managing breaches to a dedicated person or team.

Our staff know how to escalate a security incident to the appropriate person or team in our organisation to determine whether a breach has occurred.

If a data breach does take place is important that your organisation has a system in place to deal with this breach:

We have in place a process to assess the likely risk to individuals as a result of a breach.

  • We know who the relevant supervisory authority for our processing activities is.
  • We have a process to notify the DPC of a breach within 72 hours of becoming aware of it, even if we do not have all the details yet.
  • We know what information we must give the DPC about a breach.
  • We have a process to inform affected individuals about a breach when it is likely to result in a high risk to their rights and freedoms.
  • We know we must inform affected individuals without undue delay.
  • We know what information about a breach we must provide to individuals, and that we should provide advice to help them protect themselves from its effects.
  • We document all breaches, even if they don’t all need to be reported.

Compliance is the best defence against data breaches.  Knowledge of the GDPR is the first step in ensuring compliance.  Our online GDPR Training course will outline your main responsibilities and help you to start making the necessary changes brought about by the added responsibilities on businesses arising from the GDPR.

To receive a 15% discount on our online GDPR training course, enter GDPR15 in coupon section here.