The birth of GDPR claims management

Robert Broxup

With the introduction of the General Data Protection Regulations (GDPR), how close are we to a culture of GDPR compensation claims? With so many companies within the EU holding personal data, and an unprecedented challenge to adhere to the regulations, how vulnerable will companies be to future claims? Individuals may not have the time or energy to deal with litigation. Many many failures will go unchallenged, but delegating such activity to law firms and new businesses established for this very purpose could place an increased amount of stress on firms to comply with requests. Also, how will cyber insurance policies will be adapted to protect against such claims; a new level of litigation in the making perhaps.

The traffic accident compensation culture has evolved quite significantly in the UK, and the number of personal injury claims is at an all-time high. They have increased to the point that almost immediately following an accident, claims management companies are lining up to take on cases. Television channels and websites inundate with commercials offering no-win-no-fee arrangements and insurance policies either include legal support or make it available to customers as an add-on option. The following are indicators of what is emerging, although the coffee machine chatter on the subject shows a difference of opinion on what the market place will look like two years from now.

  • Businesses are increasingly using a thought leadership approach to demonstrating understanding and credibility in data protection related issues, particularly in the insurance and litigation spaces. Generally, companies and individual professionals are positioning themselves as experts in the field.
  • Published reports and surveys indicate that large numbers of businesses are unprepared for GDPR compliance, suggesting the number of potential claims will be high
  • Issues which lead to businesses being open to litigation are highly likely to involve many customers and less likely to be one or a handful of individuals. The lack of compliance is more likely to be systemic. Rather than an individual making a claim and approaching a law firm, litigation is more likely to be driven by events taking place or failures identified, then finding the customers willing to jump on the bandwagon.
  • There is a growing compensation culture within the UK. Not to say that people are not entitled to claim if they have suffered a loss, but rather it illustrates a change in attitude. What was once (in my lifetime) a ‘get up and move on’ approach, it is more likely now that someone suffering a loss will first be thinking ‘can I claim compensation’.
  • Politicians have complained about the adverse effects of excessive litigation on the economy and society. Politicians have also given undertakings that if elected into government, they would ‘cut out the cancer of litigation’.
  • Many new pieces of legislation are being introduced, which gives people the right to compensation if they suffer a loss. It is reasonable to expect that people will exercise such legal rights, and depending on the magnitude at which this happens, the process will need effective management.

These are indicative of a growing risk to companies who manage large quantities of personal data. Also, there is an increasing opportunity for existing companies and new companies to emerge to deal with both protecting organisations and to deal with litigation against failures to comply.

How much info is too much? (Part 4 of 4)

Robert Broxup

Address the issue of what information to provide by defining the overall process for dealing with new clients. This process doesn’t need to be complicated and having a process to follow will prevent digression into off-topic discussions; importantly, avoiding all conversations about previous clients and focussing on what the client needs now and in the future. Having your process in place reduces the risk of being drawn into following someone else’s.

  1. The client shows an interest in your services because they need help to solve a specific problem
  2. Ask specific questions about what services are required and what problems the client faces, which require attention. Depending on the complexity, it may be necessary to arrange a consultation to discuss the specific requirements.
  3. Provide a summary of discussion points and conclusions, a proposal to deliver, along with costs and timescales
  4. Further consultation and refinement of the proposal may be necessary
  5. Client accepts or rejects the proposal

The point with this process is to gain credibility from taking a professional approach to solving the potential client’s problems, not by demonstrating what you delivered to previous clients. Although lots of companies and individuals have similar issues, clients don’t want their laundry washed and dried in public.

Companies understandably want to undertake a measure of supplier due diligence, so it stands to reason that suppliers should apply the same level of scrutiny to potential clients. In the above process, if followed through, you can quickly filter out phishing attempts, and the discussion on requirements will have taken place, and done so without discussing confidential information.

In parallel to discussing requirements, acquire additional information to verify that the client and their needs are genuine. Client due diligence is more than checking to make sure you are likely to get paid for the services provided. Gather facts about the client to make sure they are who they claim to be and assess risks such as money laundering, terrorist financing, impersonation and identity fraud. Check sources such as public brochure websites, due diligence websites and public registers such as companies house.

To conclude on confidential information, potential clients whose primary interest is in understanding what services you delivered to previous clients and no interest in discussing their current predicaments, should be treated with a level of suspicion. However, not all will be fraudulent with malicious intent; there are plenty of market research companies that are skilled at extracting information while pretending to be potential customers.

How much info is too much? (Part 3 of 4)

Robert Broxup

In the previous two parts, the general conclusion is that within the IT sector, so much emphasis is on past clients and past projects, which could be a phishing exercise to extract information about previous clients.  People bidding will feel compelled to answer because they will believe that not to do so will exclude them from an opportunity; in other words, psychologically coerced to be unprofessional through fear of loss.

  • Discussing previous clients with potential future clients is unprofessional, we have covered this in detail. However, in a sector where it has become a de facto standard, it is the case that people willing to disclose vast amounts to confidential information about previous clients are awarded contracts for being seen as more cooperative. Professionalism, or lack thereof, doesn’t often come into it.
  • There are no regulations which protect client confidentiality in IT. Unlike other professions, IT and IT security don’t have licences that could be revoked by failing to take confidentiality seriously or any sanctions at a regulatory level. There are terms of business and non-disclosure agreements which provide protection, but the onus is on clients to enforce such contracts.

What is professional and unprofessional is somewhat subjective.  The majority of solicitors care deeply about client confidentiality as part of their profession, but the same is not in Information Technology. Consequently, it becomes challenging to compare the two as the definitions of professionalism are kilometres apart.

At a time when news articles are published daily about cyber threats and data breaches, is it time for a behaviour change when it comes to client confidentiality? Gone are the days where someone has a job for life, and here are the days where large numbers of IT practices offer valuable services to large numbers of individual businesses. Professionals in the IT sector have often participated in 100s of projects and accumulated vast knowledge about the inner workings of their own or their employers’ clients.

How much info is too much? (Part 2 of 4)

Robert Broxup

Part 1 focused on discussions about clients and projects; however, the same applies to printed and electronic literature which showcase products and services. Mentioning a list of client names to illustrate the general target audience and profile of clients is one thing, but then there is another level of detail which goes too far and can cause problems for clients.

The key is to quickly determine the difference between conversations about real opportunities and phishing or data mining conversations. It is not healthy to have a 15-minute conversation with someone you think is a potential client or anyone in the value chain, and spend most of the time talking about past clients and not come close to discussing requirements.

  • As a service provider, the essential points are about what the potential client needs. A client serious about solving a specific problem will be willing to discuss it in detail. Establish credibility by discussing how to address current challenges.
  • If confidentiality and sensitivity are an issue, use a non-disclosure agreement before discussing confidential matters. Issuing standard terms and conditions that include confidentiality is also an immediately available option.
  • If the opportunity is genuine, the conversation will be a two-way process, and both parties will better understand what is required and offer appropriate solutions. If the caller is evasive when answering questions, for example, closing down questions and changing the subject, it will feel like an interrogation and unlikely relating to genuine requirements.
  • Why would someone ask how much you charge for services but not be willing to engage and discuss what problems they are trying to solve and what their requirements are? More thought needs to go into why someone is asking specific questions while feeling compelled to answer every question.
  • It is good practice to state that ‘matters involving previous clients are private and confidential’, even if you didn’t sign a non-disclosure agreement with previous clients.

Generally, if the opportunity is genuine, the focus will be on how to resolve current problems and what the requirements will be.