- When a data breach occurs, controllers need to act fast but also consider the identity of the individuals concerned.
- Appropriate responses may vary. Consider factors such as potential resentment against the controller, employment status and age.
Following a personal data breach, what can data controllers do to limit their exposure to data breach claims? And to what extent should breach response be shaped by the identities of the data subjects themselves?
The rise in data breach claims has been well reported. This is largely a direct result of the GDPR (General Data Protection Regulation) giving data subjects a statutory right to claim compensation for non-material damage in addition to material (financial). Claimants can therefore seek awards for inconvenience or distress caused by the loss or unauthorised disclosure of their data; a much lower threshold than earlier data protection law.
This, along with the onerous notification obligations the GDPR places upon data controllers, can make it appear that the scales are tipped