In 2018, the GDPR and resulting UK legislation, the Data Protection Act 2018 (the DPA), came into force and along with it a raft of new measures that organisations responsible for looking after people’s data were required to comply with.

Over the past two years, we have seen an increasing number of claims being made alleging that an individual’s data protection rights have been breached.

Whilst these claims are often of low value, they can still be quite a nuisance. As a result, the legal fees of defending the matter can easily outstrip the compensation claimed. We have set out below the key points to consider if you receive a letter of claim to assist you in working out whether the claim is worth managing in-house or referring to legal advisors to respond.

Basis for a claim
Most claims start by alleging that the data controller has breached the GDPR or the DPA by:

  • Sharing personal data without consent;
  • Retaining or sharing personal data without having a legal exemption to do so; or
  • Failing to comply with a request to delete data.

Some claimants also argue that the organisations' actions are negligent, in breach of a person’s Article 8 rights to a private and family life, have misused private information and are in breach of confidence.

In general, a claim for negligence does not apply as there is no duty of care implied in law to protect a person’s data and therefore in most circumstances, you can disregard this claim (Warren v DSG Retail Ltd [2021] EWHC 2168 (QB)).

For claims of breaches of Article 8 rights, use of private information and confidence, whether the claim has any merits or is merely the claimant trying to overplay their hand depends on the facts of the claim and we recommend you seek legal advice should you wish to defend it.

Tips for settlement
In many circumstances, the sums claimed are trivial which means that the cost of instructing solicitors to advise, respond and negotiate on your behalf can quickly outstrip the value of the case. If you choose to negotiate with the claimants yourself, we suggest you consider the below when seeking to chip away at the claimant’s claim.

Part 36 offers
Claimants often make a Part 36 offer because if accepted, it will mean that you will be required to make payment of their legal fees separately to the amount you have agreed to pay the claimant by way of damages. Accepting a Part 36 offer can mean you more pay than you intended to when you accept the offer.

We, therefore, suggest that you do not accept a Part 36 offer initially and instead seek to negotiate a single figure, letting the claimant’s solicitors claim their fees back from their client.

Article 8 limitation
For claims of breaches of a person’s human rights pursuant to the Human Rights Act 1998, a claim must be brought within one year of the incident itself. Therefore, if the claimant’s claim is over one year after the incident they are referring to, you may be able to argue that the claim is time-barred so you are not required to make payment of damages for that claim.

Loss suffered
Damages claimed ought to reflect the loss or damage suffered by the person whose data rights were breached however, often claims do not set out the basis upon which they calculated the sums claimed and instead appear to choose a figure at random. As this is a relatively new type of claim, the case law governing losses is limited.

However, a few points to keep in mind are:

  • Valuing data can be difficult so figures can be difficult to quantify rationally unless an expert data valuer is involved. Therefore, there is usually scope for negotiation down.
  • Damages for distress are generally low, ranging from £75 - £1,000. Damages will increase if the distress caused by the incident is long-lasting.
  • Damages for loss of control are likely to be nominal unless the individual can prove that they were going to use the data for commercial gain and have lost profits.

What to do if you receive a data breach claim
In our experience, many claims are relatively low and most are trying their luck. Admitting to facts can give the claimant’s the validation they need to pursue their claim and seek to increase the level of damages they are seeking. We therefore strongly recommend that no admissions as to the facts are made if you seek to negotiate directly with the claimants.

In some circumstances, the claims can be defended by a comprehensive letter of response which helps to diminish a claim, or even scares the claimant away. We, therefore, suggest you refer a letter to your data protection officer (DPO) and/or seek legal advice before responding to the facts of the claim to avoid inadvertent admissions and rising damages.

For more information

If you have any questions about claims for breaches of data protection laws, please contact Niamh Millross, solicitor.