Beware the GDPR 'no win, no fee ambulance chasers' – experts

Companies told to quit hoarding customer data and get a grip on where it's held

The UK's incoming data protection laws could bring with them a wave of "no win, no fee"-style companies, experts have said.

Much of the discussion about the impact of the EU General Data Protection Regulation – which comes into force in May 2018 – has focused on the fines regulators can impose.

Although these are large – up to 4 per cent of annual turnover or €20m – lawyers and tech execs have said a surge in class-action suits could be a bigger financial burden.

"One point I think people miss when they're looking at GDPR is that they are always looking at the regulator," Julian Box, CEO of cloud biz Calligo, said during a roundtable event in London today.

"But the real challenge is going to come from people asking, 'what data do you have on me?'"

Box argued that people who realised companies were holding data that they shouldn't, could file a class-action suit – and that the costs related to that would "dwarf" those handed down by a regulator.

He added that some firms would be quick to latch on to the prospect, encouraging people to ask companies what data they hold on them and offering to assess whether they had a right to sue, on a no win, no fee basis.

"We truly think you're going to see ambulance chasers here," Box said.

Robert Bond, partner at law firm Bristows, agreed that there would be attempts to tap into this market, and that this would be especially so after a data breach.

"The area we foresee [being used] is emotional distress – having ambulance-chasing lawyers saying, 'have you lost sleep because your data might have been exposed?'" Bond said.

"You can imagine, if a million people make a claim of £1,000 each, that dwarves any of the other fines."


He added that, with the cost of notifying data subjects about the breach, possible fines from the regulator and related brand damage or falling share process, there could be a "perfect storm" of costs.

Neil Stobart, global technical director at Cloudian, agreed, saying: "You can guarantee there will be a whole industry out there."

The panel – which also included Noris Iswaldi, who leads global GDPR consulting at EY, and Peter O'Rourke, the director of IT at the University of Suffolk – said the biggest challenge is that firms often don't know what data they collect, or where it is held.

In addition, there is a belief among some senior teams that this is a problem for the tech team to solve – for instance, by failing to realise the regulation covers paper records, or mistakenly thinking there is a simple technical solution to seeking out data held on their systems.

"The struggle is they think it can be solved by IT and it cannot," said Stobart. "The data owner needs to look at their data, and say whether it's relevant for them to keep."

Other panellists agreed, saying that companies often try to hang on to data in the hope it will one day be valuable to the business.

"There's a real cultural hump to get over, where companies have to get over the idea that it's the data," said Adam Ryan, chief commercial officer at Calligo. "But once you've got that moment of enlightenment, you can have much easier conversations." ®

Similar topics

Other stories you might like

  • AI tool finds hundreds of genes related to human motor neuron disease

    Breakthrough could lead to development of drugs to target illness

    A machine-learning algorithm has helped scientists find 690 human genes associated with a higher risk of developing motor neuron disease, according to research published in Cell this week.

    Neuronal cells in the central nervous system and brain break down and die in people with motor neuron disease, like amyotrophic lateral sclerosis (ALS) more commonly known as Lou Gehrig's disease, named after the baseball player who developed it. They lose control over their bodies, and as the disease progresses patients become completely paralyzed. There is currently no verified cure for ALS.

    Motor neuron disease typically affects people in old age and its causes are unknown. Johnathan Cooper-Knock, a clinical lecturer at the University of Sheffield in England and leader of Project MinE, an ambitious effort to perform whole genome sequencing of ALS, believes that understanding how genes affect cellular function could help scientists develop new drugs to treat the disease.

    Continue reading
  • Need to prioritize security bug patches? Don't forget to scan Twitter as well as use CVSS scores

    Exploit, vulnerability discussion online can offer useful signals

    Organizations looking to minimize exposure to exploitable software should scan Twitter for mentions of security bugs as well as use the Common Vulnerability Scoring System or CVSS, Kenna Security argues.

    Better still is prioritizing the repair of vulnerabilities for which exploit code is available, if that information is known.

    CVSS is a framework for rating the severity of software vulnerabilities (identified using CVE, or Common Vulnerability Enumeration, numbers), on a scale from 1 (least severe) to 10 (most severe). It's overseen by, a US-based, non-profit computer security organization.

    Continue reading
  • Sniff those Ukrainian emails a little more carefully, advises Uncle Sam in wake of Belarusian digital vandalism

    NotPetya started over there, don't forget

    US companies should be on the lookout for security nasties from Ukrainian partners following the digital graffiti and malware attack launched against Ukraine by Belarus, the CISA has warned.

    In a statement issued on Tuesday, the Cybersecurity and Infrastructure Security Agency said it "strongly urges leaders and network defenders to be on alert for malicious cyber activity," having issued a checklist [PDF] of recommended actions to take.

    "If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic," added CISA, which also advised reviewing backups and disaster recovery drills.

    Continue reading

Biting the hand that feeds IT © 1998–2022