With the General Data Protection Regulation (GDPR) and Data Protection Bill at the forefront of data protection regulatory changes in 2018, data protection and privacy law will continue to be a key part of the litigation landscape. So far, there has been little focus on the specific challenges and potential risks to financial institutions arising from this litigation, but the recent decision in the Morrisons group litigation claim has brought this into the spotlight.
The GDPR contains two separate forms of financial consequences for breaches of its enshrined rights:the right to compensation and/or damages for the individuals affected; and scope for fines by the Information Commissioner’s Office (ICO) of up to the higher of 4% of an organisation’s annual global turnover or €20m (£17m).
There are five key areas of risk that could give rise to litigation, which financial institutions need to be aware of and have a plan in place to address.
Data breaches are becoming an increasingly large problem for businesses, especially with the availability and portability of digital data. Recent media attention has focused on data breaches for a number of high-profile companies, including Morrisons, Uber and Equifax.
Data breaches will therefore be of particular concern to financial institutions as they hold large amounts of valuable and sensitive personal information. Should a data breach occur, in addition to an ICO fine, organisations could face complaints to the Financial Ombudsman Service (FOS) and claims for damages from potentially millions of affected individuals. This can result in group litigation, as seen in the recent Morrisons claim, meaning that even modest damages awards per head could lead to substantial pay-outs if a significant number of individuals are impacted.
Additionally, the Morrisons decision means financial institutions can be held liable for the actions of their employees, notwithstanding that they may have taken appropriate steps to protect the data and comply with the data protection regime.
Failure to erase personal data
The“right to be forgotten” allows individuals to request erasure of their personal data. Whilst this right is limited to certain circumstances (for example, where personal data is no longer required for a specific purpose) there is clear potential for a conflict between a financial institution’s regulatory obligations to keep records and this new right. However, regulatory obligations will prevail over requests to erase personal data.
Requests to erase data that are refused by financial institutions will likely result in numerous claims from individuals who have misunderstood these competing obligations.
Failure to rectify
The GDPR reinforces the requirement for personal data to be accurate and up to date.Financial institutions will have one month from receipt of a request to correct any inaccurate data (or three months in complex cases).
Financial institutions are already facing numerous claims from individuals, who consider that their credit rating has been harmed by incorrect credit reporting. Organisations are likely to see a significant rise in the number of claims of this nature as the implementation of the GDPR continues to receive attention from both the media and consumer protection groups.
There is an additional risk that incorrect data could lead to further breaches, such as where information is sent to an incorrect address.Aside from complaints to the ICO, this could lead to complaints to the FOS or claims against the organisation for damages.
Failure to respond to Data Subject Access Requests (DSARs)
DSARs are already commonly used as a litigation tool to obtain early disclosure of documents. As individuals’ awareness of their rights has increased, there has been a rise in the number of DSARs against financial institutions and this trend will likely continue. With the removal of the £10 fee and reduction in the time for a response from 40 days to one month, financial institutions’ internal processes will be tested further.
Failure to provide portable information
Data portability is a new right that requires organisations to provide a copy of an individual’s personal data (subject to certain exemptions) to them upon request. Data will need to be provided in a structured, commonly used and machine-readable form within one month of a request.
New claims could arise from this based on complaints that the measures implemented by an organisation did not meet the technological requirements of the GDPR, and by challenging the basis on which organisations rely on exemptions.
Remedies and liabilities
To date, much of the attention on remedies and liabilities has focused on the ability of the ICO to impose fines up to the higher of 4% of annual global turnover or £17m. However, while the ICO has said that it will take action where required, the indications are that it intends to continue to adopt a pragmatic stance. Perhaps of greater significance to financial institutions are the potential claims for damages.
Under the Data Protection Act, an individual could not claim damages unless these were linked to financial loss. The Court of Appeal’s landmark ruling in Google v Vidal-Hall marked an important change and established that individuals whose data is not handled properly may be entitled to compensation for “mere distress” even if they have not suffered financial loss. This right to compensation for distress is now enshrined in the GDPR.
Further, the recent decision in the Morrisons group litigation demonstrates that the courts will allow group actions where a breach of the regime has affected a significant number of individuals. It also shows that businesses can be held liable for the actions of their employees, notwithstanding that they may have taken appropriate steps to comply with the data protection regime.
Given recent court decisions, the biggest concern for organisations will be the financial consequences arising from data breaches that could affect millions of customers.With scope for both regulatory fines and claims for damages, financial institutions could be faced with twofold financial penalties for any data protection breaches.
Richard Hayllar is a partner at UK law firm TLT. Contributions by Alison Deighton, partner, Emily Black, associate, Alanna Tregear, solicitor and James Tithecott, solicitor.