Despite the increased fines that the GDPR introduces, the ICO’s fines were always likely to be one of the smaller bills that organisations in breach have to pay.

To give an example: in October 2015, 157,000 of Talk Talk’s customer accounts were hacked.  Talk Talk was fined £400,000 by the UK’s ICO (a record fine at the time), but Talk Talk’s costs of fixing the breach (PR, comms and purchasing identity protection for the affected customers) have been estimated at between £30 million and £60 million.  Even a radical increase in the ICO’s appetite for fines would have been unlikely to shift the balance in the short to medium term.

However, two further factors are likely to keep the ICO fines, even with the GDPR, on the smaller side of things (size being relative in these cases).

The first factor is the arrival of group actions for data breach. The first data breach class action (under the DPA, not the GDPR) has recently succeeded.  JMW Solicitors, a Manchester law firm acting for 5,581 Morrisons employees whose payroll details had been placed on the Internet by a disgruntled employee, won in the Court of Appeal.  Damages have not yet been awarded, but can cover both financial loss and distress.

On a similar theme, two separate law firms, SPG Law and Hayes Connor Solicitors, are planning group actions against British Airways for BA’s recent data breach.  The first firm expects damages per claimant of up to £1,500, the second expects damages per claimant of up to £5,000.  Even at the more modest £1,500, the numbers are eye-watering.  The BA breach involved 380,000 individuals.  380,000 x £1,500 = £570 million.

The second factor is the fact that the final cut-off date for PPI claims is August 2019.  From that date the claim management companies, which have been the driving force behind PPI, will be looking for new sources of revenue.

To give some idea of how quickly multiple claims can add up: to date, the banks have paid out £32.9 billion in PPI compensation in relation to 13 million claims, giving an average value per claim of approximately £2,500.

 

It’s going to be a stormy ride.