ITN Solicitors has reportedly initiated what may lead to the first collective action under the GDPR: an action against Facebook in relation to the Cambridge Analytica data breach. Boards should pay close attention to this and remember the decision about vicarious liability made in the Morrisons case.
Yes, in the event of a significant data breach, GDPR fines are likely to be substantial, as will the reputational damage. That, however, may be the least of it.
The size of the award in a collective (‘class action’) law suit, with or without a finding of vicarious liability, may substantially increase the financial impact on the organisation. And the problem with most data breaches, unlike the Cambridge Analytica one, is that they take advantage of weak defences and, however well protected an organisation thinks it is, come out of the blue like a thunderstorm, bringing storm damage in their wake.
Every board’s risk register should include the risk of a data breach, with the risk estimation including the possibility of a sizeable collective award as well as possible ICO fines.
It’s probably a lot less expensive just to get breach ready.