Class-action Lawsuits Under GDPR

Posted on by | No Comments

(Will Force Businesses To Focus On Security)

Even after years of GDPR policies in Europe, the effect of the class action lawsuits on personal data has yet to show evidence. While class action figures may be low at the present, the number of cases is expected to rise. In 2018, France saw a 32% increase in the complaints recorded by the data protection authority. [Commission Nationale de l’informatique et des libertés (CNIL), rapport d’activité 2018, p. 2]. GDPR granted the European union member to authorize class-action lawsuits to claim monetary damages. Now, the general public in the countries has shifted from the stage of understanding the new provisions to claim their privacy rights.

Personal data class actions have a significant impact on mass litigation and data security breaches are among the main driving forces of class actions occurring. Having a data protection practice and privacy policy is strategically beneficial for businesses and amping up the security is now all the more important.

So, now when the problem of privacy risk arises, businesses need to ensure that they have a solid security system and protective measures in place, to keep the customers’ data safe.

Things To Ensure A Solid And Secure Privacy System

  • Vigilance And Awareness About The Usage Of Customer Data By Vendors And Partners 

Businesses tend to partner up with any third-party vendors for ease of processes. Though awareness about reviewing the Data Processing Agreements during procurement is common knowledge, yet, businesses tend to skip this very essential step. Under GDPR, any business can be held financially accountable, if their third parties fail to keep the customers’ data safe. The reviewing of the vendors’ DPA to ensure privacy compliance is a key focus. It is imperative to ensure that their data policies align with the company’s stated protocols, to prevent a case of contradiction. Checking of the terms regarding subcontractors is also important – if the vendor is contracting another processor then it should be under the company’s knowledge. This adds an extra security layer, in case of legal compromises occurring, due to the offloading of data duties to a non-compliant third party by the vendors.

  •  Performing Impact Assessments To Monitor Risks Whenever Processing Data

In almost every GDPR related case, impact assessments for data processing are mandatory. But the implementation of even the most basic risk assessment, for data activities, is a tedious process. It compels the business to think about their decisions on issues like data storage, subcontracting, etc. securing the business in the most hassle-free and cost-effective way. Having a proactive and dedicated action-plan to overcome, goes really well with the regulators, after facing a litigation charge from the public, subsequent to a cyberattack.

 The Information Commissioner’s Office provides free data protection impact assessment templates such that the accurate assessment of privacy risk in a business can be tracked.

  •  Striving For Clarity In The Privacy Policies Of The Company 

When the project policies are being reviewed by the stakeholders during the yearly sessions, businesses must ensure that the promises in the policy are accessible to all the customers. Privacy policy with complicated legal terms may appear beneficial (that has open clauses for interpretation) but the focus is to generate trust in the public, with easy-to-understand policies. The privacy policy must be thorough and on-point instead of being tailored for customers fluent in legal jargon.

  • Having A Designated Data Protection Officer (DPO)

Irrespective of the size of an enterprise, having a centralised responsibility holder for any date decisions is necessary, instead of keeping the responsibility spread across departments. A DPO serves as the vital point for any privacy concerns in an organisation. Furthermore, they are responsible to act as a liaison to regulatory bodies, in cases where privacy law enforcement is questionable. This ensures that business gets dedicated protection in an easier and cost-effective way.

Managing the digital transformation is a risky task but it is unavoidable, therefore, adapting to as quickly as possible is crucial. Having unnecessary risks at bay is an intelligent choice for any business by complying with the regulatory rules and having the customers satisfied, at one shot.

Tips To Avoid Becoming A Target Of Privacy And Data Breach Class Action Lawsuits –

  1. Lack of coordination between business and compliance standards

Operations often tend to develop and products and services are frequently updated by an organisation. So chances of the privacy notices and disclosures not remaining consistent are likely to occur. Incidents of the new updates or reintroduced functions of the product surpass the existing policies and practices can always happen. Therefore, every organisation should keep caution on the wind, to keep the disclosures and notices meaningful and valid with the updated practices of the institute. When business processes and compliance is consistent, cases of consumer violations are less likely to occur. Organisations should establish policies in a way such that they are applicable to any future prospects or company’s expected updates.

  1. Adding Casually Upbeat And Impressive Language To Privacy Notices

Companies tend to get casual and add promising conclusive statements to privacy notices. Statements that have open-ended meanings can be tempting as opportunities to exploit the loopholes can be useful in case of potential lawsuits. Such dubious statements can create disbelief in customers who are tech-savvy and privacy-aware. The seemingly safe play can stab on the back as chances of lawsuits and appeals on the basis of the very statement can play against the company. So it is better to remove such ambiguous remarks from the privacy policy and keep things concise.

  1. Disclosing Half-truths And Hiding Of True Actions

Generally, businesses tend to accurately inform their extent of data collection and sharing practices and to avoid such claims is to go in detail. Including the use of all collection technology cookies, pixels, and software development kits (SDKs) to properly drafting the disclosures and implementing  “just-in-time” notices

can help against such privacy-based claims.

  1. Failing To Have Test Incident Response Plans

The most important part is to have a proper backup and incident response plan for any business under the onslaught of a breach. Chances of getting a class action lawsuit for delayed notification of data breach is a common incident. Nowadays the reputation of a company really is affected due to a potential cyberattack as these incidents happen to everybody.  Customers are concerned about how quickly a business manages to overcome the situation, what measures they take and whether the response plan works effectively.

Chance recovery from a breach is also possible if the business manages to handle the incident response function properly, thus avoiding the statutory damages.

Security is a rising concern among customers and how a company performs largely depends on the trust public shows towards its policies. The loss incurred from a data breach has increased with the new additions of class action lawsuits to GDPR, adding extra litigation reimbursement.  Therefore, it is all more important to have stringent security measures in a company.

Download our CISO as a Service white Paper Download

matt hardy

View posts by matt hardy

Matt is a global CISO with 20+ Years of Directing International Security Programmes for Multi-Billion Pound Organisations. With a passion for security and a cybersecurity evangelist.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.