Back in May 2016, I wrote an article for LinkedIn called Data
Subject Access Requests: a compensation crisis waiting to happen ?
In it, I looked at how the impending changes to data protection law (in the form of the General Data Protection Regulation) will see businesses having not only to work harder to obtain customer consent, but provide people with easier access to the personal data they hold about them. Also, if a Data Subject Access Request (SAR) reveals that you have misused customers’ personal data, it could easily open the floodgates to an unprecedented number of compensation claims.
Currently, SARs are chargeable and need to be supplied ‘promptly’. Under GDPR, they must be performed free and supplied within a month. Within it, an organisation must demonstrate:
- Whether any personal data is being processed
- Give a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people
- Give a copy of the personal data
- Give details of the source of the data (where this is available)
Should you fail to provide this information, or should a subject identify that you have infringed their data protection rights, the GDPR also bring other citizens’ rights. That is, the ability to bring class actions and seek judicial remedies against data controllers and data processors.
Does this sound familiar to you? It was after a judicial review in 2011 that we began to understand the scale of the payment protection insurance (PPI) scandal. Since then, an estimated 10 million consumers have claimed they were mis-sold the insurance, at a cost to banks the Financial Times puts at £35bn.
Comparing incorrectly sold insurance with incorrectly held personal data isn’t as unusual as you might think. If anything, misconduct with personal data could have even bigger repercussions, with compensation requests from the public arriving at an even larger scale. Particularly as the restrictive barrier of paying a fee for the SAR will be removed.
As many of you know, the Regulation states that transgressing GDPR laws can come with fines of up to €20 million, or 4% of annual worldwide turnover. However, that doesn’t include the possibility of claims for damages from data subjects.
How many records do you have in your customer database? Thousands? Millions? Don’t forget – while current data protection legislation applies to data held just in EU countries, GDPR applies to any EU citizen, no matter where in the world the data is held.
With the manpower costs processing large volumes of SARs, and the potential legal fees calculated, we are facing a ticking timebomb.
Thankfully, with GDPR not coming into force until May 25, 2018, there is still time for organisations to batten down the hatches and tackle the challenges. A good place to start would be:
- Assess your current data processing systems: Can they quickly identify, isolate and allow you to extract all copies of all personal data concerning a particular data subject? Do they store they information that shows your contacts gave you consent in a way that was unambiguous, informed and contextual?
That said, should SARs grow to PPI levels, it raises another interesting question. No doubt every one of you have received an email or phone call from shady companies offering to pursue a PPI claim on your behalf. No question there will be many similar offering to unearth infringements of your personal data.
But here’s the quandary. How do the aforementioned “ambulance chasers” get hold of your data in order to make the unsolicited call, or send you an email without your consent in the first place? Could the claims management companies themselves be contravening the very laws they claim to uphold?
It goes to show that everybody needs to take a closer look at permissions and consent. Because whoever finds themselves on the receiving end of personal data mistreatment will have to face the consequences…