Parts of the Data Protection Act 2018 also came in force on 25 May. This was very quick when you consider that the text of it was only finalised on 21 May and royal assent was only granted on 23 May. Now that the dust is starting to settle, it is helpful to reflect a little on what some of the requirements in the GDPR will mean for those involved in litigation. Three areas which we suggest merit consideration are set out below.
Who are you sharing personal data with?
Personal data will generally require to be shared a number of times before, during and after the course of a court action. Examples of this include running traces to obtain up to date contact details for an opposing party, instructing counsel to prepare court papers, sending information to the court and instructing sheriff officers to serve court papers.
Considering the role of the person with whom personal data will be shared is important as different procedures will need to be applied depending on whether they are classified as a processor or controller. Making sure that appropriate procedures are followed and being clear what will happen to persona data when you share it is important.
How can the GDPR assist with accessing information?
Rights of data subjects is one of the central areas in the GDPR. The right for individuals to have access to personal data which is held about them is one of these rights. The ability of individuals to exercise these rights to obtain copies of their personal data (often referred to as making a subject access request) is something which may be either a help or a hindrance to litigation proceedings depending on who you are acting for.
It is possible that you may need to provide advice to your clients, or indeed take a view yourself in response to a request you have received, as to whether personal data can be withheld on the basis of legal professional privilege or confidentiality. Under the Data Protection Act 2018 exemptions apply to:
- information in respect of which a claim of legal professional privilege or, in Scotland confidentiality of communications, could be maintained in legal proceedings, or
- information in respect of which a duty of confidentiality is owed by a professional legal adviser.
What about compensation claims?
The GDPR sets out a right for individuals to seek compensation for either material or non-material loss which they suffer as a result of infringements by either controllers or processors. This is, of course, not a new concept. It was possible for individuals to raise claims under the Data Protection Act 1998. A recent example of this was the December 2017 decision in the case of Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 where 5,518 employees claimed compensation from Morrisons on the basis of the actions of an employee who has posted personal data of around 100,000 of Morrisons employees on the internet.
Whilst it may often difficult for individuals to claim a large amount of compensation for a personal data breach, group actions where a breach has affected a large number of individuals such as the Morrisons case may prove very costly. It is worth remembering that group actions may be possible in Scotland when the provisions set out in the Civil Litigation (Expenses and Group Proceedings) (Scotland) Act 2018 are brought into force.
There is no doubt that the GDPR will give us a lot to think about for some time.