The EU GDPR (General Data Protection Regulation) has heralded a new era in which individuals have greater control over their personal data. Organisations need to be much clearer about what information they’re processing, what it’s being used for and how data subjects can review and request changes to their data.
But did you know the GDPR has also made it easier for individuals to claim compensation when an organisation fails to meet its data protection requirements?
You’ll be most likely to do this when you are a victim of a data breach, but you can be recompensed for any “non-material” damage too. This includes things such as distress, reputational damage and loss of future wages, which can happen when an organisation unlawfully or improperly processes information, or if it fails to respond to a DSAR (data subject access request).
There are two ways you can claim compensation for violations of the GDPR.
Contact the ICO
The ICO (Information Commissioner’s Office) is the UK’s data protection regulator and supervisory authority for GDPR compliance. If you are unhappy with the way an organisation handles personal data, you should file a complaint with the ICO. It will investigate the incident and determine whether the organisation was liable.
The ICO doesn’t have the authority to award compensation (only to discipline organisations for improper data protection practices), but you can use the results of its investigation to support a legal claim, which you can make in a small-claims court. Of course, you don’t need to be the one to instigate the complaint to seek compensation; any investigation into an organisation you deal with can be used as the basis of a claim.
Make a claim directly
The only problem with contacting the ICO is that it could take a long time to get an answer, as it always has many complaints to deal with. You might therefore prefer to make a claim directly.
Without the results of the ICO’s investigation, your case will be weaker and you’re less likely to receive maximum compensation, but proceedings can be started quickly and are often settled out of court.
Compensation claims might end up being the most expensive part of a data breach for organisations. With this cost on top of the legal fees, potential penalties and the however much is needed to recover from the breach, you could end up loosing more than just your data.
We have created a breach readiness checklist to help you understand your risks and know where your breach response gaps are, helping you to strengthen your ability to recover, and limit the impact of a breach.