The upcoming Data Protection Bill must be amended to ensure independent organisations can help people who are affected by a data breach to seek redress, says consumer firm Which?
There’s a general confusion among the public on how to seek redress following a breach, and independent groups should be allowed to help them legally.
A recent research study commissioned by Which? revealed that a lot of people don’t have clear ideas on whom to approach and how to get compensated if their sensitive data is lost to a data breach.
Even though at least one in ten people has been victims of a data breach in the past year, one in five don’t know how to claim redress following a data breach, and a fifth don’t know who is responsible for helping them when data is lost.
Considering the public’s predicament, Which? is now calling for the upcoming Data Protection Law to be amended so as to allow independent organisations to help affected people seek compensation and other forms of redress when a company has failed to take sufficient action following a data breach.
‘People have the right to redress when there is a data breach. But, if the company at fault has acted negligently and doesn’t offer adequate support or redress, currently the only option available to consumers is a lengthy and potentially expensive route via the courts,’ the group said.
Which? says as many as three-quarters of people it surveyed have expressed support for such an amendment in the Data Protection Law.
The Data Protection Bill, which is based on Europe’s General Data Protection Regulation (GDPR) and which is expected to come in force next summer, is heavily consumer-oriented. When it was first announced to the public, Digital Minister Matt Hancock had said that it will ‘give people more control over their data, require more consent for its use, and prepare Britain for Brexit’.
Once the new law comes into effect, companies will be required to obtain explicit consent from people before collecting their personal data or storing them for any purpose. Aside from personal information like names, addresses, email addresses, phone numbers and government ID numbers, such data will also include IP addresses, DNA, and cookies.
At the same time, companies will have to respect any customer’s request to have his data amended or deleted from their servers. Consent will not be permanent and citizens will be able to withdraw their consent anytime they wish to do so.
If any company fails to comply with the new law, resulting in a breach that compromises customer data, the Information Commissioner’s Office will have the power to issue fines of up to £17m, or 4% of the company’s global turnover.
‘Given the number of data breaches we’re now seeing – and by extension, consumers impacted – it’s not a surprise to see consumer groups like Which? calling for more action and greater scope for compensation for the victims,’ says Tony Pepper, CEO and co-founder of Egress.
‘Which?’s demands seem to be towards the right for them, and similar consumer rights groups, to represent victims collectively. If it helps to address the bad behaviour of organisations when handling data then groups acting in the interests of consumers can only be a good thing.
‘For the organisations on the other end of it though, there’s going to be more pressure than ever before to get a grip on the data they hold, or if could prove an incredibly expensive mistake,’ he adds.
It remains to be seen if the government will consider the request made by Which? in the near future.