The UK's incoming data protection laws could bring with them a wave of "no win, no fee"-style companies, experts have said.
Much of the discussion about the impact of the EU General Data Protection Regulation – which comes into force in May 2018 – has focused on the fines regulators can impose.
Although these are large – up to 4 per cent of annual turnover or €20m – lawyers and tech execs have said a surge in class-action suits could be a bigger financial burden.
"One point I think people miss when they're looking at GDPR is that they are always looking at the regulator," Julian Box, CEO of cloud biz Calligo, said during a roundtable event in London today.
"But the real challenge is going to come from people asking, 'what data do you have on me?'"
Box argued that people who realised companies were holding data that they shouldn't, could file a class-action suit – and that the costs related to that would "dwarf" those handed down by a regulator.
He added that some firms would be quick to latch on to the prospect, encouraging people to ask companies what data they hold on them and offering to assess whether they had a right to sue, on a no win, no fee basis.
"We truly think you're going to see ambulance chasers here," Box said.
Robert Bond, partner at law firm Bristows, agreed that there would be attempts to tap into this market, and that this would be especially so after a data breach.
"The area we foresee [being used] is emotional distress – having ambulance-chasing lawyers saying, 'have you lost sleep because your data might have been exposed?'" Bond said.
"You can imagine, if a million people make a claim of £1,000 each, that dwarves any of the other fines."
He added that, with the cost of notifying data subjects about the breach, possible fines from the regulator and related brand damage or falling share process, there could be a "perfect storm" of costs.
Neil Stobart, global technical director at Cloudian, agreed, saying: "You can guarantee there will be a whole industry out there."
The panel – which also included Noris Iswaldi, who leads global GDPR consulting at EY, and Peter O'Rourke, the director of IT at the University of Suffolk – said the biggest challenge is that firms often don't know what data they collect, or where it is held.
In addition, there is a belief among some senior teams that this is a problem for the tech team to solve – for instance, by failing to realise the regulation covers paper records, or mistakenly thinking there is a simple technical solution to seeking out data held on their systems.
"The struggle is they think it can be solved by IT and it cannot," said Stobart. "The data owner needs to look at their data, and say whether it's relevant for them to keep."
Other panellists agreed, saying that companies often try to hang on to data in the hope it will one day be valuable to the business.
"There's a real cultural hump to get over, where companies have to get over the idea that it's the data," said Adam Ryan, chief commercial officer at Calligo. "But once you've got that moment of enlightenment, you can have much easier conversations." ®