GDPR: New challenges three years on

by Egress
Published on 25th May 2021

Since its introduction three years ago, GDPR has changed people’s perception of their rights around data privacy. Individuals are realising they have the power to fight back when their personal data is leaked in a data breach – especially when they fight together as part of a class action lawsuit.

To mark the third anniversary of GDPR, we wanted to know whether security leaders were concerned about this new challenge. Or are regulatory fines still their biggest fear? To find out, we commissioned an independent survey by OnePoll to interview 250 security leaders and DPOs in the UK as well as 2,000 UK consumers.

We discovered that the threat of legal action is indeed front of mind for today's security leaders. A huge 90% are concerned about group legal settlements following a serious data breach – higher than the 85% concerned about regulatory fines.

Our findings showed that they may be right to be concerned. Just under half (47%) of consumers said they would likely join a class-action lawsuit against an organisation that leaked their data. As a response to these concerns over GDPR, we also found that 91% of security leaders are turning to cyber insurance to protect themselves either by taking out new policies or increasing their cover.

What the experts had to say...

Tony Pepper, Egress CEO

“The financial cost of a data breach has always driven discussion around GDPR – and initially, it was thought hefty regulatory fines would do the most damage. But the widely unforeseen consequences of class action lawsuits and independent litigation are now dominating conversation.

Organisations can challenge the ICO’s intention to fine to reduce the price tag, and over the last year, the ICO has shown leniency towards pandemic-hit businesses, such as British Airways, letting them off with greatly reduced fines that have been seen by many as merely a slap on the wrist.

With data subjects highly aware of their rights and lawsuits potentially becoming ‘opt-out’ for those affected in future, security leaders are right to be nervous about the financial impacts of litigation."


Lisa Forte, Partner at Red Goat Cyber Security LLP

“The greatest financial risk post-breach no longer sits with the regulatory fines that could be issued. Lawsuits are now commonplace and could equal the writing of a blank cheque if your data is compromised.

European countries haven’t typically subscribed to a litigious way of regulating the behaviour of companies. That is now changing and without explicit Government intervention, companies will need to accept they need deeper pockets to cover the lawsuit gold rush we are starting to see.

The recent Google case that currently sits with the UK Supreme Court could make group claims 'opt out' instead of 'opt in.' That will inevitably mean every single customer affected would be entered into the group action. This should be a huge worry for companies.

Companies need to really prioritise preventative measures both technical and human and have a tested incident plan in place.”

Eric Bedell, Luxembourg’s DPO of the Year 2020

“When enforced back in 2018, GDPR set the tone of how use of personal data should be regulated.

When regulatory fines have been in the news (and often used as a trigger for GDPR implementation), there is also a lesser-known aspect: the right to take legal action against an organisation, not only for data breaches, but also for failure to erase personal data, to rectify, to respond to Data Subject Access Requests (DSARs) or to provide portable information.

In the United States, under CCPA, we have seen many actions, in Europe this is not (yet) widely used. However, I predict that this will grow as this right to take legal action becomes more popular - especially knowing that the ICO publishes a web page to provide guidance for data subjects taking such action.

As a firm this is a risk you want to consider, maybe more than regulatory fines, in my view.”

Edina Csics, GDPR & Data Protection Consultant at GIS-Consulting BVBA

“While cyber insurance might cover the financial damage caused by a data breach, it won’t help recover any reputational damage done.

I hope that the 91% of respondents that have changed their cyber-insurance policies in response to GDPR have also considered doing the right thing by putting more serious measures in place than click-through employee security training and remediating their loosely implemented security technologies in addition to, and not instead of, taking out cyber-insurance.

Data breaches do occur, and it’s a matter of when and not if, but in many cases these could be prevented. But whatever their motivation, be it fearing collective lawsuits or regulatory fines, in taking steps to avoid financial damage, their actions may play in favour of consumers and the protection of their data.

Having said that, looking at the past activity of the ICO and its enforcement habits, I am inclined to understand why security leaders are more worried about the actions of those who are directly impacted – the data subjects whose personal data is subject to their not-quite watertight security measures – and those data protection activists that have an even higher drive to prove that there is more organisations can do to guard personal data.”

Kevin Tunison, Egress DPO

“The legal uncertainty of GDPR data transfers to third countries has the potential to compound the risk of group action. For organisations that adhere to Privacy Shield, even in the absence of its validity requires contribution to a legal fund for binding arbitrations.

In the event the financial costs of breaches increase, so will the necessary contributions for maintaining Privacy Shield certification.

As the UK works to expand its own agreements with third countries to enable the free flow of data, there is the increased likelihood of data breach litigation resulting from these new relationships. This is especially true if those countries have opt-out group claims they could bring in the UK.”

How to protect your business?

Regulatory fines are no longer the only thing businesses need to be aware of when it comes to GDPR. The threat of class-action lawsuits loom large. But it doesn’t have to reach that point – not when data breaches are stopped at the source.

Find out how intelligent technology can protect your business from data breaches. All the cybersecurity information you need is right here.