New data protection rules will “open the door” to customer claims for damages but should not risk a ‘holiday sickness’-style boom in bogus claims, say industry lawyers.
The EU General Data Protection Regulation (GDPR) comes into force on May 25 and Travlaw associate lawyer Luke Golding said: “There have been a lot of scare stories. The fines are significant.”
Businesses will also be subject to civil claims and Golding told an Abta data-protection seminar: “The GDPR opens the door here. It widens the scope for individuals to bring claims [for data misuse or breaches]. These are more likely not only for financial loss, but also for distress or injury to feelings.”
He warned of reputational damage to businesses suffering cyber breaches, saying: “The first few enforcement actions will attract heavy media interest.”
However, Golding said: “I don’t think this will be the next ‘holiday sickness’. We can expect these claims to be more from aggrieved customers. Claims should be quite modest and pursued in the small claims court, so there isn’t a big incentive for claims management companies [to get involved].”
He also downplayed the risk of fines, suggesting the UK regulator, the Information Commissioner’s Office (ICO), “has not been immediately punitive in the past”.
Tim Roe, compliance and deliverability director at marketing services firm RedEye, agreed GDPR breaches could prove damaging. He said: “People could become less tolerant of bad practice.”
Travlaw partner Farina Azam told the seminar: “The less data you hold the better [and] data should be kept for no longer than necessary.”
She said: “We see a lot of clients who hold data indefinitely. We suggest you hold data for six years.”