Claims against businesses under data protection and privacy have been on the rise for some years, largely thanks to greater consumer awareness about how businesses should be handling and processing such data. This is likely to rise with the advent of the new Data Protection Act 2018 (DPA 2018), which translates EU GDPR provisions into UK law.
Small-to-medium-sized enterprises (SMEs) and unincorporated associations (UAs) in particular have been affected, with a recent study showing that 61% of data breaches are by organisations with fewer than 1000 employees.
Let’s take a look at why these cases seem to disproportionately fall upon SMEs and UAs. The first thing to point out is that all organisations come under the remit of the Information Commissioner’s Office (ICO). The ICO helpfully publishes guidance on what corporate responsibilities are when it comes to data. This can be summed up thus: organisations must only collect information that is needed for a specific purpose; keep it secure; ensure it is relevant and up to date; only hold as much information as they need (and only for as long as they need it); and allow the subject of the information to see it on request.
So why does it affect SMEs and UAs most? In a nutshell – scale. Large corporate entities such as banks and multinational companies are likely to have complex structures and dedicated teams in place whose aim is to ensure compliance with GDPR requirements, and who will audit the organisation’s practices to ensure that they are storing and processing data in compliance with the DPA 2018.
SMEs and UAs, by contrast, are less likely to have such teams in place. Often, an organisation might not realise that it counts as a Data Controller under ICO requirements, or if it has named an individual as the Data Controller, the person with responsibility might have this as just one of a group of areas of concern, meaning that with the best will in the world, some of the provisions might slip through the net.
With regard to SMEs, should there be a data breach that results in a claim, directors could be held liable. It is their duty to ensure that the organisation is GDPR-compliant, so any loss that ensued could, theoretically, be recovered from the directors, were it shown that they had failed to ensure a robust compliance regime.
Similarly, with UAs, trustees could hypothetically be held liable for any losses incurred for non-compliance.
As well as making sure that your organisation is discharging its duties under DPA 2018, it might also be sensible to consider whether your organisation should insure against losses arising from any claims relating to data breaches.