Since news broke regarding the British Airways data breach, the airline - which is already facing massive fines of up to £500 million from the Information Commissioner’s Office – is now set to face legal action from customers who have suffered financial losses.

The legal action was instigated by SPG Law, who are seeking compensation for their clients, not only for their financial losses, but also claiming costs for the “inconvenience, distress, and misuse” of their personal data.  

SPG Law confirmed that they have sent the airline a “Letter before action” document, in order to commence discussion regarding settlement. Within the letter, it states that If BA refuse to cooperate this will result in group litigation, which would allow the courts to manage numerous cases against them at once.

Tom Goodhead, a Partner at SPG Law discussed the airlines failings, stating:

Three Graces Legal is a commercial law firm which has many years' experience in dealing with civil claims for compensation, including large commercial dispute matters. We also deal with claims arising out of breach of the Data Protection Act and GDPR.

Our specialist data protection claims solicitor, Aaron Pearson, is a GDPR practitioner and the firm has acquired the standard of ISO17024 for GDPR practitioner and Cyber Essentials.

We make compensation claims on behalf of individuals and businesses who have been adversely affected by a breach of the Data Protection legislation. 

We offer a wide-range of funding arrangements, including been able act for you under a no win, no fee agreement.

We are specialists in pursuing civil claims for a breach of the Data Protection legislation. The law is constantly evolving to keep up with such a changing landscape, particularly where data is concerned. More than ever, we have to ensure that we remain vigilant, while organisations who collect and process our data must take measures to avoid a breach, otherwise they may be faced with a claim for compensation.

Compliance with data protection law, and moreover, the GDPR, is vital. We act for many businesses in advising them how to stay compliant so as to avoid any unwanted legal proceedings for breach of data protection laws. Equally, we act for individuals who have suffered some harm as a result of a data protection breach.

Three Graces Legal have seen how the changes arising from the existing Data Protection Act 1998, which was usurped by the European Directive, enabling a person to claim compensation for distress alone, has developed to be written into the General Data Protection Regulation. This now enables an individual to rely on a binding EU Regulation to claim compensation for distress arising out of a data breach.   

When seeking to acquire informed consent the default solution tends to be that you can obtain a written consent from each and every customer. This is of course perfectly fine, if it is manageable. But even  overcoming this task leaves the burden of gathering the consent documents and filing them, followed by ensuring the data is correct etc.

Remember, consent is just one of the ways in which processing data might be justified. Therefore, consider the processes that you are seeking consent to carry out, and look at alternative lawful bases.

The Article 29 Working Party (WP29) published an assessment of the balance between legitimate interests of employers, and the reasonable privacy expectations of employees. In which it outlines the risk assessment posed by modern working practices, where new technologies enable more systematic processing of employees’ personal data at work, which bring about challenges in regards to privacy and data protection.

Processing of personal data on the use of online services and location data from a smart device, are much less visible to employees than other more traditional types such as overt CCTV cameras, yet they encapsulate our lives more so.

The Director at the Serious Fraud Office (SFO), Lisa Osofsky, has recently announced her plans to utilise artificial intelligence in order to deal with fraud cases that are data- heavy.

Osofsky, the former FBI Lawyer discussed the SFO’s plans in her first speech since taking on the chief role:

Personal data is defined within Article 4 of the General Data Protection Regulation (GDPR) and means solitary or group data that can be used to identify an individual. The following are examples of personal data:

• Name
• Home address
• Driver’s license