GDPR represents a step change in privacy rights across Europe, a report from law firm DAC Beachcroft claims

The rush to monetise personal data represents a “new oil” matched by its toxicity in the environment under increasingly harsh data privacy rules, according to DAC Beachcroft.

Europe’s General Data Protection Regulation (GDPR), applicable from 25 May 2018, is the major focus of the “Big Data” study.

GDPR introduces new provisions that will “dramatically change” the risks and potential liabilities facing data processors and controllers, reported the law firm.

“We live in the age of Big Data,” said the foreword from DAC Beachcroft partners Hans Allnutt and Rhiannon Webster.

“The ability to capture, analyse and utilise massive troves of data has increased exponentially thanks to technological advancements over the past twenty years,” they continued.

“Companies that have been able to monetise data, particularly personal data, have achieved the greatest growth. It is no wonder that personal data has been described as the “new oil” and we are in the boom,” added the foreword.

The effect of the GDPR on organisations that rely on personal data “cannot be underestimated”, Allnutt and Webster warned, in the report, entitled “Personal Data: the new oil and its toxic legacy under the General Data Protection Regulation”.

“A theme of our findings was that sanctions and litigation will increase across Europe,” said the report’s foreword, adding that “those organisations that are not prepared to deal with its toxic legacy will be hit hard”.

Dac beachcroft data report gdpr

Data privacy fines in Europe vary wildly, the report explained, but that harmonisation under GDPR will “dramatically” increase the degree of potential penalties that can be levied.

“First, the level of fines will increase significantly for most member states: up to €20m or 4% of annual worldwide turnover, whichever is the highest,” noted the report.

“Second, it will clarify that each member state’s supervisory authority is able to issue such fines,” the law firm continued.

“Third, harmonisation should, in theory, be enforced by the European Data Protection Board, which will supervise the application of sanctions across all member states,” the study added.

The next few years of harmonisation will be challenging, DAC Beachcroft emphasised.

“If harmonisation is not achieved under the GDPR, at least in the early years, there is a risk that this could lead to data heavy organisations taking a strategic decision to relocate their central administration or main processing activities to more lenient jurisdictions,” added the report.

Compensation is also “fragmented” in Europe, for those whose personal data is caught up in corporate transgressions.

Under the regulation’s article 80, data subjects have the right to appoint certain nonprofit bodies to lodge a complaint on their behalf, and exercise their right to compensation.

“Whilst it remains to be seen exactly how this will be put into practice in each member state, it does raise the possibility of group litigation,” the law firm warned.

GDPR’s article 82 empowers data subjects to claim compensation for material and non-material damage resulting from an infringement of the rules, from both controllers and processors.

“While this represents the status quo in some member states, for a number of member states this either extends or introduces the right to compensation for breaches of data protection legislation,” said DAC Beachcroft’s report.

“It is clear, however, from our study that the GDPR will trigger a wave of increased litigation and compensation claims across most of Europe. Unsurprisingly, this change may be most pronounced in jurisdictions where the litigation cost regime is more favourable to claimants,” the legal firm added.