The High Court has awarded two people damages for distress after breach of data protection law.
An organisation had published a report that contained personal data about them which they successfully alleged was inaccurate, had been processed unfairly and unlawfully and which the organisation had not taken reasonable steps to verify.
They were awarded £18,000 each for distress.
Insight
There are very few cases about the amount of compensation people should receive for ‘distress’ when their personal data has been compromised. The facts of this case are unusual, so the amount awarded may not be representative for most cases.
The judge said “Damage” for these purposes is not confined to material loss. Compensation for distress is recoverable in any case, even if material loss is not sustained … and compensation is recoverable for a contravention that interferes with [an individual’s] control over his data, even if this does not cause material damage or distress. That compensation must provide redress for the interference with autonomy, and any distress caused by the breach. It seems to me that the Court’s approach to the assessment of damages for reputational harm and distress resulting from inaccurate disclosures of personal data should follow established common law principles.”
The amounts awarded were based on the Judge’s assessment that “the claimants were of robust character, not given to undue self-pity” and were accordingly (as described by the judge) “modest”.
If your organisation is looking to comply with the requirements of the GDPR then take a look at how our CSaaS and DPaaS solutions can help.