GDPR is everywhere on LinkedIn, newsfeeds and the weekly emails I subscribe to from various tech providers and industry sources. I don’t know about you, but when I click through and read the aforementioned articles I generally have found them to be of little substance and even less value.
Last week I attended an event called “Are you ready for GDPR with one year to go?” and felt for the first time I had seen someone present on GDPR who actually knew what they were talking about. The content fired up my imagination and triggered various emotions especially when the possibility of GDPR being the new PPI was raised, so I thought I would share a few of these thoughts.
Now as background (if you don’t already know) I work for IT solutions company that has for many years worked with several of the large financial services companies in the UK developing lots of innovative solutions to fix many different business problems. A chunk of these solutions have been in the PPI space, for example, we are currently delivering a large scale solution to a bank which will allow them to dramatically reduce the manual processing time of a PPI claim from hours to just a few minutes, which is especially timely now the time barring announcement has been made and the claims are coming in thick and fast.
So how could GDPR be the new PPI? Well the claims management companies that have profited massively from the PPI issue have spotted their next market opportunity. Data claims. Using GDPR as their legal basis, an individual could claim they suffered damage because a company has mismanaged their data, either by holding incorrect data about them, by keeping data they shouldn’t have or by misusing that data.
Article 82.1 states
“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”
This potentially opens a floodgate of claims, again on a no win no fee basis, which the claims companies can offer up to anyone.
Under GDPR, organisations can no longer charge for a DSAR (Data Subject Access Request) so there will be no barrier for anyone requesting from every company they have ever dealt with to provide a response as to what data is held about themselves. This means that DSAR requests which may come in at a current rates of tens per week could easily be in the hundreds or thousands and with a reduced SLA of 30 from 40 days.
The view is that these DSAR requests could then lead to claims that data is incorrectly held or used and therefore the individual has suffered damage and has a right to financial compensation. The organisations would then need to settle these cases or get involved in legal proceedings to prove their case otherwise. Now it could be that these financial settlements are small on an individual basis but if the volume of claims is large then the financial impact on a company could be significant.
Does GDPR being the next PPI worry me? No, I see is a fantastic opportunity, GDPR is ultimately about doing the right thing for customers and we are ready to help our customers achieve this. Not only does my company have a great data compliance toolset, it also has a way of automating DSARs across multiple systems and unstructured data to allow companies to deal with this potential rise in requests quickly and efficiently. So as I said GDPR is everywhere and data breach news stories are ubiquitous, and I say bring it on!