Regulatory Compliance

Could GDPR become the new PPI?

Could new provisions in the EU’s General Data Protection Regulation (GDPR) create a wave of Payment Protection Insurance (PPI)-style ‘no win, no fee’ compensation claims filed against non-compliant companies?

The deadline to make a claim against mis-sold PPI in the UK is Aug 2019. So far claims have totalled more than £40 billion ($53 billion) since 2011, with banks such as Barclays continuing to set aside hundreds of millions of pounds to handle the costs of claims.

GDPR comes into force from May 2018. The legislation imposes strict new requirements around how companies store and process personal information and companies found to be non-compliant could be in danger of seeing similar compensation claims from consumers and consumer groups, warn some experts.

With PPI and whiplash claims dying down, many lawyers might look to GDPR as the new cashcow, said Peter Erceg, Senior VP at Lockton during the CloudSec event in London earlier this month.

At the same event UKCloud’s John Goodwin warned that “Privacy Activists could be as big a problem as the regulators” and could see companies hit with a “double whammy” of both fines from the regulators followed by a number of compensation claims from customers.

“We expect consumer litigation and class actions to quickly follow once this regulation goes live, as has happened in the US,” Pat Moran, PWC's Cyber Leader, said in April. “We are already seeing niche legal firms being established to cater for the anticipated demand, which could see another Personal Protection Insurance (PPI) debacle emerging.”

“If thousands are victims of one breach, law firms may want to take it on a ‘no-win, no-fee' basis,”  Detective Chief Inspector Andrew Gould, head of the Metropolitan Police Cyber Crime Unit, said earlier this year.


Death by a thousand claims

“There is a very clear risk that something like a PPI claims industry could spring up as a result of the GDPR,” Matthew Holman, Principal at EMW Law, told IDG Connect. “We know the ICO is not planning to issue large fines straight away and so businesses should be aware of the PPI claim risk, which is just as important.”

Article 82 of the GDPR legalisation gives individuals the right to compensation for “material and non-material damage as a result of infringement of this Regulation”. Article 80 gives consumer groups (such as the Citizens Advice Bureau or Which?) special permission to act as representatives for individuals who have been the subject of a breach of the GDPR by businesses.

“This could definitely result in businesses being hit on two fronts: an investigation by the regulator (ICO) resulting in fines and also a private civil claim by one or more affected individuals. There were equivalent provisions introduced regarding consumer rights laws in 2015, but as yet we haven’t seen a huge uptake on this.”

While the GDPR threatens to issue a fine of up to €20 million or up to 4% of the annual worldwide turnover (depending on which is greater) for non-compliance – which would already be a massive jump compared to the penalties of previous legislations - the following compensation claims could seem more like death by a thousand cuts.

“Say your customer database contains a million records,” wrote Iain Lovatt, Chairman at Blue Group Inc, in a LinkedIn post. “If just 0.5% submit a legitimate claim for £150 ($200) worth of compensation, that’s a bill for £750,000 ($990,000)– without factoring in the costs associated with thousands of hours processing them. That’s just 5,000 people. Over 10 million have been pursuing PPI claims.”


Also read:
Everything you need to know about… GDPR
GDPR – 365 days to go
What we know, and don’t know, about GDPR
GDPR may leave some burned
From insular US firms to spammy marketers: Who will GDPR hit the hardest?
Cloud not the magical bullet for GDPR compliance
UK needs to align with GDPR, even post-Brexit
Brexit means GDPR and unhindered data flows
Is the EU-decreed DPO the next big IT role?
GDPR: The World needs “at least” 75,000 DPOs
G(in)DPR: Five gins to drink with these GDPR white papers


« Do you need a Chief Trust Officer?


Seven reasons 2017 is a make or break year for blockchain »
Dan Swinhoe

Dan is a journalist at CSO Online. Previously he was Senior Staff Writer at IDG Connect.

  • twt
  • twt
  • twt
  • Mail


Do you think your smartphone is making you a workaholic?