GDPR risks for retailers – it’s not all about fines: Mini-series 2 – GDPR-related litigation

Woman handing over a red shopping bag Print publication


Much of the focus in the retail and legal press in recent months has been on the eye-watering level of fines which data protection regulators can impose for infringements of the new EU General Data Protection Regulation (GDPR) legislation [1].  However in this mini-series Walker Morris’ Heads of Regulatory & Compliance and Commercial Dispute Resolution, Jeanette Burgess and Gwendoline Davies, offer practical advice in light of other GDPR-related risks which are becoming increasingly prevalent issues for retailers.

In our earlier article we explained what retailers need to know about data subject access requests. In this briefing Jeanette and Gwendoline look at compensation claims and group litigation, and share their legal and practical tips.

Enhanced rights, enhanced risk

GDPR delivers new and enhanced rights for individuals in relation to their personal data, including the right of access, the right to rectification, the right to be forgotten, the right to object to or restrict processing, the right to data portability, and rights related to automated decision-making. GDPR also introduces certain direct obligations on data processors and the requirement for detailed contractual obligations to be implemented between all data controllers and processors. There are also new mandatory notification requirements in relation to data breaches (including informing individuals directly without undue delay, if the breach is likely to result in a high risk to their rights and freedoms), and specific requirements in relation to documentation and record-keeping.

All of that, combined with the recent bombardment of GDPR-related emails, means that consumers are becoming increasingly aware of their status as data subjects and emboldened in relation to the exercise of their data protection rights. When the ever-present threat of increasingly sophisticated cyber-attacks and data breaches are added to the mix, it comes as no surprise that individuals want more control over their data, reassurance about how it is used, managed and protected, and the ability to seek appropriate redress when things go wrong.

So, with GDPR placing an increased level of responsibility on those who process personal data whilst, at the same time, online shopping and digital marketing mean that data collection, processing and retention are more important than ever, it is vital that retailers understand the risks.

The right to compensation

If an individual considers that the processing of their personal data infringes GDPR, he or she the right to complain to the regulator (in the UK, the Information Commissioner). Since the coming into force of GDPR, affected data subjects now also have the right to apply to the court for compensation.  Importantly, this covers material or non-material damage, and so individuals will still be able to make a claim where there has been no monetary loss. This could include, for example, claims for reputational damage, embarrassment, distress, inconvenience or anxiety.

Unlike under the old Data Protection Act 1998 regime, claims can now be brought against both data controllers and data processors. A controller or processor will be able to escape liability if it can prove that it is “not in any way responsible” for the event giving rise to the damage. However, whilst it is not yet clear exactly how this will be interpreted in practice, the wording certainly suggests that there will be a high hurdle to overcome. Being able to demonstrate compliance with GDPR requirements will be key.

Depending on the circumstances and the nature of the infringement, retailers could, in addition or alternatively, find themselves also facing other types of claim such as those for misuse of private information or breach of confidence. Directors could also find themselves subject to claims where, for example, a data breach results in a reduction in share value.

The prospect of group litigation

GDPR allows a data subject to authorise a not-for-profit body, organisation or association (for example, a consumer group such as Which?) to exercise certain rights on his or her behalf, including the right to receive compensation. In addition, member states may provide that such a body has the right to lodge a complaint with the regulator or to apply to the court for a remedy, independently of the data subject’s authority, if it considers that the data subject’s GDPR rights have been infringed as a result of the processing.

This issue of collective redress is one of the limited opportunities afforded to member states to decide how GDPR applies domestically. It was the subject of significant debate when the UK’s new Data Protection Act 2018 (the Act) (which came into force on the same day as GDPR, and is to be read alongside it) was passing through the various parliamentary stages as a Bill before it became law. In fact, not only does the Act reflects the requirements of the GDPR, it also goes further – providing the Secretary of State with “the power to make regulations enabling representative bodies to bring collective proceedings on behalf of data subjects in England and Wales or Northern Ireland by combining two or more claims in respect of data subjects’ rights, where those data subjects have given their authorisation to the representative body”. This is designed to provide an effective mechanism for a representative body to seek a remedy in the courts on behalf of a large number of data subjects.

The threat of group litigation is, therefore, a real one. In Various Claimants v Wm Morrisons Supermarket plc [2], a group of more than 5,500 employees brought a civil claim for compensation against Morrisons, using one of the currently available routes for group litigation under the Civil Procedure Rules, after one of its ex-employees deliberately leaked payroll data of thousands of staff online following disciplinary action. Morrisons was not found directly liable, but there was a sufficient connection between the individual’s position of employment and his actions to establish secondary (vicarious) liability. This was despite the disclosure of the data being made outside working hours using the individual’s personal equipment. An appeal of this judgment is currently outstanding and Walker Morris will monitor and report on developments.

With recent high-profile data breaches affecting millions of individuals (including retailers’ staff and customers), and in the current climate of increased awareness of data protection rights, group litigation has the potential to result in substantial and damaging exposure, both in terms of value and reputation.

Practical advice

  • Data protection is a boardroom issue. To reduce the risk of being on the receiving end of a GDPR-related claim, it is essential that retailers take data protection seriously. Robust policies, procedures, systems, safeguards and organisation-wide staff training must be put in place to ensure GDPR compliance – and, crucially, to be able to demonstrate that compliance. Such measures must also be kept under review as the business develops and changes.
  • Contractual arrangements between data controllers and processors should be reviewed to ensure that they address clearly and unambiguously the parties’ respective obligations and liabilities, including in relation to breach reporting and the settling of compensation claims, and include all the ‘boiler plate’ terms which are mandatory under Article 28 of the GDPR. Retailers, in particular, should ensure that they properly manage any data protection risks within their supply chain [3].
  • While it is unlikely that insurance will be available to cover potential regulatory fines, retailers should consider reviewing their insurance cover to help limit the damage, financial and reputational, in the event of a GDPR-related claim.
  • If a data breach or other infringement does occur, it should be dealt with promptly and effectively, with clear communication to the affected individuals so that they can take any necessary steps to minimise loss. Organisations may wish to consider appropriate redress schemes to help rebuild customer trust and shore up any reputational damage. It will be important to learn from previous incidents and take steps accordingly to limit the likelihood of a similar incident happening again in the future.
  • Looking beyond issues of pure compliance, GDPR provides retailers with an opportunity to innovate, to review and improve data management, and to maximise the potential of their data assets. It is about good business practice: being accountable, transparent and fair; managing data responsibly; giving individuals greater choice and control over how their personal data is used; building a culture of privacy; and integrating data protection into the heart of the business.

If you require assistance in relation to any of the issues raised in this briefing, please do not hesitate to contact Jeanette or Gwendoline, who will be very happy to help.


[1] Up to 2 per cent of annual global turnover or €10 million, whichever is the greater, for violations relating to certain administrative data protection failings; and up to 4 per cent of annual global turnover or €20 million, whichever is the greater, for violations relating to certain more fundamental failings, such as breaches of any of the basic principles for processing personal data and breaches of data subjects’ rights.
[2] [2017] EWHC 3113 (QB)
[3] See our more detailed briefing for further information and advice.