High court awards damages to individuals whose data was exposed online
The potential financial penalties that can arise from a serious data breach have been well publicised with the introduction of the GDPR in May this year.
Non-compliance brings a risk of fines up to €20 million or 4% of annual turnover, whichever is greater.
This is a significant amount of money and the impact on most businesses would likely be catastrophic. But there is no need for panic. These are maximum amounts and the ICO has the capacity to impose smaller fines, in keeping with the nature of the breach, or even non-financial actions such as warnings and reprimands.
However, there is a ‘hidden’ financial consequence you should be aware of.
In spite of all the publicity about these potentially huge fines, one risk of non-compliance that hasn’t had as much air time, is that of the damages you may have to pay to the people whose personal data is exposed during the breach.
This issue has been highlighted recently by Cordrey Compliance who have recently cited a case where the UK Appeal Court has ruled on the damages caused by the unlawful disclosure of personal information.
This issue is about the compensation for damages that the individuals can claim against the organisation who committed the breach.
The particular example cited by Cordrey Compliance, is the recent appeal case of The Home Office and The Secretary of State. A spreadsheet containing the personal details of individuals seeking asylum was accidently published online. The spreadsheet contained various tabs and links to other spreadsheets that were also accessible.
One of the most interesting points to note here is that the ICO did not take any regulatory action. It was the individuals affected who brought legal claims for damages caused by the distress of the publication of this spreadsheet.
Of further note is the fact that the damages, ranging from £2,500 to £12,500 weren’t just awarded to the individuals on the spreadsheet, but also, in some cases, to other family members who were identifiable via the details on the disclosed spreadsheet.
The GDPR gives rights to seek compensation from a data controller or a data processor, for anyone who suffers ‘material or non-material’ damages. If a significant amount of personal data is exposed and many people suffer as a consequence, the cumulative effect of the damages that may then be payable to these individuals, can add up to a very substantial amount of money.
The learnings we can take from this are of course, to ensure that all of your systems and policies are GDPR are compliant, and in particular, to take extra care with the use of spreadsheets.
If the spreadsheet contains personal information, ensure it is password locked and only ever email it, if it is absolutely necessary. Staff training in this area is essential if you are going to do all you can to reduce risk and protect the personal information you are holding.
If you require any assistance or further information, get in touch with Griffin House Consultancy today on 01673 885533 or email us at [email protected].
You can also sign up to our eBulletin for the latest developments in data protection, information governance and compliance.