GDPR shifts power from companies to subjects
Data risks unaddressed in the boardroom face being exposed in the courtroom, to the detriment of reputations, says Ann Henry
It is likely your inbox has been inundated with requests from multiple sources to confirm you are happy that your email address and personal information continues to be held on their respective databases.
This cautious approach – from music streaming services to health clubs – is understandable, because General Data Protection Regulation (GDPR) which came in force on Friday (25 May) heralds a power shift away from companies, whether data controllers or data processors, towards data subjects – ordinary people, clients and customers.
While much has been talked about the need for senior management ‘buy in’ to the many GDPR compliance projects ongoing in businesses, less has been spoken about the consequences that will unfold before the courts for the organisations that are not in compliance.
If a customer or employee believes that their personal data rights have been infringed by a company, whether as a controller or processor, then they can go to court to seek various orders and, importantly, they can sue for compensation. Others affected by the fallout will potentially also have a cause of action, for example a spouse whose partner became ill from the stress or a journalistic source that gets exposed in a data breach.
Once proceedings are issued it won’t be long before a forensics team hired by the opposing lawyers will be poring over the internal corporate workings. Any idea of ‘quick fixing’ compliance will not work and efforts to do that will be seen for what they are and will likely increase the damages to be paid.
Data protection actions will be treated legally like other ‘torts’ – acts of infringement that incur legal liability. This is important as it is likely that the other side will be entitled to relevant and necessary document discovery–so how your company complies with GDPR will be on public show in the courts, and therefore potentially in the media.
The new enforcement regime will sweep all this information into the public domain and it will become clear pretty soon which companies have competence in dealing with personal data and which ones cannot be trusted.
When corporate governance is functioning properly it ensures that companies have the systems and controls in place to manage the flow of information so that they can make the right decision at the right time, and any effective system of corporate governance requires leadership, independence, competence, and challenge.
Of these, competence is ‘king’ and an understanding of the new GDPR enforcement regime is therefore vital for a board and senior management to ensure effective compliance within their organisation.
There are many potential infringements of GDPR that could give rise to a data protection action, including data breaches. The regulatory fines for data breaches are at the lower threshold, reflecting the fact that breaches do and will happen.
However, there will be mandatory notification to data subjects where there has been a data breach that poses a high risk “to their rights and freedoms”. Mandatory reporting is a game changer because once the individuals concerned are informed about the data breach it can lead to them – and others damaged by the breach – issuing data protection actions.
Data breaches are typically categorised into three types. A confidentiality breach is where there is an unauthorised or accidental disclosure of, or access to, personal data; an availability breach is where there is unauthorised access to, or destruction of, personal data, and an integrity breach is where there is an unauthorised or accidental alteration of personal data.
GDPR provides that “any person who has suffered a material or non-material damage as a result of an infringement … shall have the right to receive compensation from the controller or processor for the damage suffered”.
There is a lot in those three lines. Firstly, the term “non-material damage” covers non-financial damage, such as personal distress. Secondly, the right to compensation extends to “any person” – arguably both to a natural person and to a corporate entity. And thirdly, the right to receive compensation is from the data controller or processor and so joint liability and several liability applies.
Make no mistake, data risks that are not addressed in the boardroom face a much-increased risk of being exposed in the courtroom, and corporate reputations lost are extremely hard to restore. Ann Henry is a partner and expert in commercial litigation at Pinsent Masons LLP