What does this tell us about civil actions under GDPR?
It is wrong to suggest that this is the first group action to be brought in the UK for data protection breaches. We have commented before about the rising number of data protection civil actions, for example in our summaries of the Google v. Vidal-Hall case here http://www.corderycompliance.com/vidal-hall-data-protection-class-action-appeal-settled/.
The solicitors who are handling the Morrisons case are currently advertising for more employees or former employees to join the litigation. In addition, they seem to be planning a number of similar actions including against a bank and an insurer. More litigation against other companies is likely.
Additionally, we are currently waiting on judgment from the ECJ in a class action brought by Max Schrems against Facebook. An opinion from the court’s Advocate General on the 14 November suggests restricting the ability of claimants to bring proceedings on behalf of claimants across Europe, although that opinion is not binding on the court. The Schrems action has approximately 25,000 claimants. Final judgment in this case is expected by the beginning of 2018.
The issue of compensation is also important under GDPR. Under GDPR, as a general principle, any person who has suffered “material or non-material damage” due to an infringement of GDPR has a right to compensation from the data controller or processor concerned for the damage suffered. There are some defences, as set out in GDPR. Our FAQs and video on the GDPR can be found here www.bit.ly/gdprfaq.
What should businesses do now?
For most organisations continuing their GDPR planning is a good way of reducing the risk of civil actions like this one. In particular organisations will want to consider:
- Taking a close look at security measures and ensuring that access rights etc. are policed;
- Putting in place appropriate policies and procedures to make sure that data protection principles like data security and data minimization are properly understood;
- Doing a DPIA for new processes – for example in this case would a DPIA have indicated that the request for data from the auditors was too wide?
- Making sure that employees in trusted roles are reliable and that their access rights are reviewed if there are concerns – implement monitoring of employees as the business thinks necessary, in compliance with data protection and employee monitoring rules and guidance (see our article here about employee monitoring, data protection and human rights here http://www.corderycompliance.com/?s=barbelescu);
- Putting in place a data breach notification procedure, including detection and response capabilities;
- Training staff on all of the above; and,
- Setting up and undertaking regular compliance audits or reviews in order to identify and rectify issues.
There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav.
You can read a transcript of the case here www.bit.ly/2zLWG2l.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|