Data protectionApr 13 2018

New data rules risk triggering claims industry

twitter-iconfacebook-iconlinkedin-iconmail-iconprint-icon
Search supported by
New data rules risk triggering claims industry

New EU legislation could create the next ‘no win, no fee’ industry, advisers have been warned.

Rob Walton, chief operating officer at Intelliflo, warned the biggest risk to firms from the General Data Protection Regulation (GDPR), which comes into force on 25 May, was in Article 82, what he branded the “ambulance chasing article”.

“Article 82 makes it possible for data subjects to sue firms for any breach of their rights under the GDPR, even if it does not cause a material loss,” he said. 

“We could be about to see the next ‘no win, no fee’ industry."

Ruaraidh Thomas, managing director, applied analytics at DST Systems, suggested subject access and ‘right to be forgotten’ deletion requests will also potentially cause conflict.

"Consumers may well demand deletion, for example, but in certain instances this will not be possible. 

“When consumers then start to become dissatisfied with responses they receive from organisations they contact with these types of requests, escalation to legal support may well ensue.” 

He explained: “From there you can see how some feel this may then lead to ongoing disputes and even, potentially, class actions – especially when data breaches of the Equifax and Yahoo type also occur.”

In September 2017, credit-rating company Equifax reported it had been hit by a data breach which meant around 145 million customers had their information stolen.

Under GDPR, the Information Commissioner’s Office (ICO) will be able to fine companies as much as 4 per cent of their annual turnover, or €20m, for severe data breaches.

Asked how it might deal with claims like these, a spokesperson for the Financial Ombudsman Service (FOS) said it was “aware that under the GDPR customers may be able to seek compensation against a firm for material and non-material losses, following a breach of the GDPR by the firm”.

Fos said: “It is possible that we may receive complaints too that a firm has breached the GDPR.

“We are able to consider complaints that are brought to our service about the way that firms, who fall within our jurisdiction, have dealt with their customers’ information. We will consider each complaint that we receive on a case by case basis – both in terms of whether we have jurisdiction to consider the complaint and in order to reach a fair and reasonable outcome.”

The Ombudsman stated it currently receives complaints from consumers about the way that a firm has dealt with their information, among other things.

"We expect that we will continue to receive such complaints. 

“We will investigate each complaint individually and on a fair and reasonable basis, taking the law into account.”

But Alan Lakey, said that while “there is little doubt that claims managers are alert to any new types of complaint that they can generate or assist in creating”, GDPR was unlike other claims in that “there is no real target figure”. 

He explained: “With endowments and PPI, CMCs [claims management companies] were able to bandy figures supposedly relating to the ‘average payout’.  

“Add to this, the 'no win, no fee’ scenario which only works because it involves free access to the Ombudsman, whereas court cases are costly and I cannot imagine any CMCs wanting to chance their arm funding such matters.”

Mark Greenwood, regulatory policy manager at The SimplyBiz Group, acknowledged the right to erasure, where a client can request they are deleted from a firm’s records, is a fundamental part of the new legislation.

“This should be put into context, with the firm able to retain the client data where the data is required to comply with legal requirements or may be required to defend a future legal claim,” he said.

Read FTAdviser’s guide to GDPR implementation here and earn approximately 60 minutes of CPD.

eleanor.duncan@ft.com