Most comments on risks to firms that violate GDPR have been focused on fines, but there is another financial threat: Private civil claims, according to the law firm Skadden.
In an advisory, Skadden writes that the GDPR “grants any individual the right to compensation for damage caused by a data controller’s or processor’s breach of the GDPR’s requirements.”
It adds that "compensation is recoverable whether or not the relevant loss was financial in nature."
Case in point: “British Airways has been threatened with a class action lawsuit by individuals whose data may have been compromised after a data hack resulted in the loss of payment card data associated with 380,000 transactions,” Skadden writes.
It adds: “The plaintiffs assert an entitlement to recover from the airline damages for “inconvenience, distress and misuse of their private information” of up to £1,250 each, leaving a total quantum running well into the hundreds of millions of pounds.”
The advisory also notes that collective claims are being aggressively pursued in Austria.
Skadden advises companies to make sure their key personnel “fully understand the financial and reputational risks posed by compensation claims under the GDPR,” and to the company, so that its policies and privacy notices are in line with the law.
It also urges firms to prevent their data security measures from being superseded, and that staff are trained in identifying data protection issues.
In addition, Skadden says brand should ensure that “appropriate systems exist for notifying any breach to individuals (which will also alert them to the need to take any steps to minimize their losses). And it calls on firms to confirm that their existing insurance policies cover compensation paid under GRPD.