Companies Facing Compensation Claims for GDPR Data Breaches

A main aim of the introduction of the General Data Protection Regulation (GDPR), in May 2018, is to ensure that the rights and freedoms of people living in EU states are protected, when it comes to the processing of personal data.

With this in mind, Article 82 of the GDPR deals with circumstances where the regulations have not been adhered to. This results in the data subject being able to claim compensation in the courts.

The possibility of having to pay out compensation should mean that companies audit all of their data and processes, in order to ensure that they are compliant, and that they limit the risk of data breaches occurring. Until the first compensation claim is made, it is difficult to estimate how much compensation will be payable, but amounts could potentially be substantial.

Data subjects are already able to make claims against data controllers if there is an issue with the processing of their personal data which threatens their rights or freedoms. GDPR expands this ability by enabling action to be taken against data processors as well as data controllers. This could mean that the number of compensation claims made increases, in line with the increase in the number of people to take action against.

GDPR also emphasises that compensation can be claimed for both material and non-material damage. This means that a data subject can make a claim in respect of damage to reputation in the same way that they can make a claim in respect of financial losses. This is not actually much of a change to the abilities which currently exist, but it does further emphasise the position.

One important fact to be aware of is that data controllers and processors will not be held responsible if they were in no way at fault concerning the incident which caused the material or non-material damage. Interestingly, it is not yet clear what other actions can be taken in cases like this. Like other aspects of compensation, such as the amounts payable, it seems that we will need to wait until the first action is taken, to see what happens.