GDPR: you may need to compensate your supporters if you infringe their data protection rights
There has been a lot of talk recently about the potential new and rather dramatic increase in monetary penalties under GDPR.
Many legal firms are attempting to paralyse the charity sector with the terrifying notion that they might get a £20m fine for sending their donors unlawful communications. I honestly believe this won’t be the case: no one I have spoken to really believes the ICO will issue fines anywhere near this level.
Of course we shall need to wait and see. Yes, you should be GDPR-compliant before the deadline, but remember, as long as you have made a start on compliance, can demonstrate the processes are in place and that you understand the fundamentals, the ICO will work with you, of this I’m sure.
Not such good news
If that sounded like good news, here’s some not so good news. Aside from the fines there is something else to bear in mind.
Articles 79 – 83 of the GDPR talk about the rights of data subjects to compensation from you if there is an infringement of their rights. Basically, if you process data, lose data or share data unlawfully your supporter or customer could look for a judicial remedy from you. They are going to have the right to sue you!
This might be for material loss, but it could also be for non-material loss such as distress. How do we know this will happen? Because firms of lawyers will dedicate resource to help those who are victims of a data breach claim their settlement.
It will no longer be a question of “Have you had a accident in the past five years?”. It will be: “Have you had your personal data misused in the past 5 years?”
So, while you ponder your data protection strategy, bear in mind it isn’t just the ICO fine you’ll need to consider. It is your supporters’ class action which could inflict considerably more pain.
Image: “The Law” by smlp.co.uk is licensed under CC BY 2.0
Advertisement