Court of Appeal: New ruling means more damages likely to be payable if you have a data breach   

October 2nd 2019 was quite a momentous day for the data protection community and indeed anyone responsible for data within their organisation.

What happened?

There were two main points that were clarified and have now set new legal precedents.  The first is surrounding what is classed as ‘damage’ following a data breach.

Historically, in order to claim financial compensation, the claimant would had to have suffered some financial loss. This changed with the introduction of the GDPR and financial loss is no longer required to suffer distress.  The new Court of Appeal ruling goes further; quite simply the fact that your data has been breached is seen as reason enough for financial damages to be due to the claimant.

The new interpretation is that your data is deemed to have a value in and of itself, so loss of control of your data must therefore have a value.

This is harsh news for data controllers and makes it even more necessary that all data is collected and processed lawfully, that data protection policies and procedures are up to date and are being meticulously followed.

There is one measure of consolation, which is that if the misuse of personal data was small scale, accidental and swiftly remedied, then the assumed automatic right to compensation is unlikely to apply.

The businesses who need to be very aware of this new interpretation of the legislation are those commercial organisations who make money out of the processing of personal data.  If you fall into this category and are unsure in any way as to whether you are on the right side of this ‘new’ judge made law, then please do contact one of our data protection specialists at Griffin House Consultancy.

A class apart: It doesn’t rain, it pours

The other blow to the data controller is that the court of appeal clearly opened the door to class actions now being possible for data breaches.

Because damages are now defined quite differently, how the individual has been affected is no longer as relevant.  The very fact that their data has been compromised is enough for them to qualify as claimants.  This means that data subjects who have suffered from the same breach can come together and claim on mass.   The action can also be proactive, meaning that a company can apply for compensation on behalf of all affected data subjects and distribute the compensation AFTERWARDS.  This is what appears to be happening in the Lloyd v Google [2019] EWCA Civ 1599 case which has led to this ruling.

What you need to do

  1. Check that all of your processing complies with GDPR / DPA legislation.
  2. Ensure your lawful bases for processing are accurate and documented.
  3. Demonstrate compliance and provide evidence of any data protection and legitimate interest impact assessments as required by the legislation.
  4. Remember your electronic marketing is also covered by this legislation (a breach of the ePrivacy Directive / PECR is a breach of the GDPR).
  5. Review any relevant policies or training programmes to ensure they reflect this new reality.
  6. Call us if you aren’t sure about anything, on +44 (0)1673 88 55 33.

For a more thorough analysis of this ruling please have a read of the following blog by Panopticon 11KPW.

If you need any further clarification, advice, guidance or training, please contact the specialists here at the Griffin House Consultancy

Are companies doing enough to protect their cyber security? This year’s survey by Marsh says “absolutely not”

Let us ease your mind

If you have any queries, questions or requests then please get in touch. We’re always very happy to talk, you’ll find a friendly voice on the end of the line or simply fill out the form below.










This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.