The Information Commissioner, Christopher Graham, has called the potential fines imposed under the new General Data Protection Regulation (GDPR) “eye-watering” – up to €20 million or 4% of your global turnover. Data Protection just got ‘monetised’.
The GDPR is likely to be finalised in Summer 2016 and enforceable two years later. There will be a lot of column inches written on the subject during that time – read by marketing professionals and consumers alike.
There are two aspects to this issue. Firstly, law firms will scramble to offer advice on protecting you from the European fines.
Christopher Graham said at the recent DMA Data Protection summit “The sky’s the limit for enforcement. This is getting serious.” Three days later, he issued the largest fine yet (£350,000) against a little-known firm called Prodial Ltd. Mr Graham is right, this is getting serious.
But there is a second aspect to consider – consumers encouraged to claim compensation for data protection breaches. Encouraged by solicitors specialising in data laws. A quick search on Google for ‘no win no fee data protection solicitors’ shows an alarming number of firms – and the numbers are bound to increase.
A new breed of Data Protection ambulance chasers is being born.
Look at how an entire (and sometimes annoying) industry was created around the subject of PPI Claims. I would suggest that winning a data protection case will be easier for consumers, and therefore their claims may be more prevalent.
The Information Commissioner cannot award compensation, even if he believes an organisation has broken the law. So consumers may first ask directly for compensation, and if you don’t agree they can take it to the small claims court (accompanied by their ‘no win, no fee’ solicitor).
If you lose, your company will have a County Court Judgement against it (see John Lewis Plc vs Mansfield).
The compensation amounts are likely to be small, the real issue is the damage a County Court Judgement does to your credit rating and the embarrassment it causes your brand. Losing two or three data protection breaches in court will quickly erode trust in your name.
Is this scaremongering? No, I am aware of a number of companies that have already settled out of court on data protection complaints – the average amount seems to be £2,000.
It’s time to brief your senior management team about the impact of the forthcoming GDPR and ensure all staff that use customer data (everyone?) are aware of their responsibilities. Remember, this is getting serious.
This post is part of a series about the General Data Protection Regulation; the full list of posts include ‘How Brexit impacts marketing data in the UK‘ | ‘3 tips: Steal my GDPR plan‘ | ‘The GDPR became law yesterday… and nobody cared‘ | ‘Get ready for Data Protection ambulance chasers‘ | ‘10 Must-know facts about the new EU data law‘ | ‘Want prospects to opt-in? Call them‘ | ‘You don’t need ‘opt-in’ to store a switchboard number‘ | ‘What can these guys teach you about opt-in marketing?‘ | ‘How content marketing will change after 2018‘ | ‘Winning Edge: Counter a direct threat‘