The General Data Protection Regulation [(EU) 2016/679] is a regulatory body regulating the data protection laws in the European Union, for all members of the EU. The GDPR has come a long way since the 1995 Data Protection Directive which was adopted when the internet was a luxury and not depended on or utilised as much as it is today.
Technology has come a long way since 1995, and has transformed our lives. Therefore, a review of the 1995 Data Protection Directive was needed, leading to the GDPR being recognised as law across the EU. The new data protection rules were implemented on 25th May 2018 across all member states. This means all must comply with the new regulations otherwise they could be in serious breach of the Data Protection Act (DPA) 2018, which could lead to serious repercussions.
Some organisations have dedicated Data Protection Officers to ensure all the rules and regulations and being complied with. However, there are times where an organisation or business can breach a person’s rights without their consent. This is where the GDPR rules can be used to our advantage.
Data Subject Access Request
Under Article 15(1) and Recital 63 of the GDPR, individuals have the right to request a Data Subject Access Request (DSAR) to any organisation which holds or has processed any data in relation to the individual submitting the request.
This request is extremely helpful and informative when one would like to bring a claim against an organisation. A DSAR can be requested in relation to various claims, including:
- Banking Fraud Claims
- Breach of Data Protection Claims
- Intellectual Property Claims
Under Section 9 (7) of the Data Protection Act 2018, the court can order the data controller to comply with the DSAR. This was recently showcased in the case Dawson-Damer v Taylor Wessing LLP  EWCA Civ 74 (16 February 2017)
. The High Court was initially in favour of Taylor Wessing LLP which relied on the legal professional privilege exemption under the Data Protection Act.
However, this case was taken to the Court of Appeal where the High Court’s decision was overruled due to the points below which were examined in detail:-
- The extent of the legal professional privilege exemption;
- The existence and extent of a disproportionate effort limit on searches; and
- The approach to be taken to the judicial discretion under section 7(9) DPA to order compliance with a subject access request.
The second appeal decision is yet to be finalised. However, we can take guidance from Dawson-Damer v Taylor Wessing LLP
which clarifies matters such as proportionality, collateral damage, and legal privilege.
How to Initiate a Data Breach Claim
Depending on the nature of the case, most claims can be made directly to the ICO (Information Commissioner Officer). The ICO is the UK’s independent authority liable for upholding information rights in the public interest, and promoting openness by public bodies and data privacy for individuals. The ICO has the power to impose large fines on organisations that are in breach of the GDPR rules.
Depending on the case, individuals may be eligible to claim compensation for damages and distress if they can show the detriment they suffered due to the data breach. Most claims can be settle out of court, and a settlement agreement can be negotiated.
Once the ICO finds a company liable for a breach, and the formal appeal procedures have been exhausted, one may be eligible to start the claims procedure.
The limitation period to bring a breach of data protection claim is six years.
The amount of compensation available for data breach claims can vary depending on the amount of distress caused. In a recent case Gulati & Ors v MGN Limited
, between £72,500 and £260,250 was awarded as compensation for the distress the individuals suffered. The courts look at the nature and the sensitivity of the data disclosed.
Initiating a claim can be a tedious and expensive process as is any litigation claim brought to the attention of the courts. However, depending on the nature of the claim, one can recover legal costs from the defendant.
Author Zeen Al Atroshi
is a caseworker in the employment department at the Duncan Lewis Solicitors Harrow office. She handles a number of employment matters and has a particular specialty in settlement agreements.
To contact Zeen directly call 020 3114 1297
or email ZeenA@duncanlewis.com
Duncan Lewis Employment Solicitors
Our solicitors offer advice at any stage of an employment matter, with a successful track record in advising employers and individuals on a range of matters and disputes, including:
- Unfair Dismissal
- Breach of Contract
- Equal Pay
- Maternity and Paternity/Adoption Rights
- Minimum Wage
- Working Time Regulations
- Flexible Working
- Settlement Agreements
- Disciplinary and Grievance Procedures
- Restrictive Covenants
For expert legal advice on employment law, call 033 3772 0409.