If you want to scare yourself, run an online search with the criterion, ‘data breach claims’. You will find a long list of companies offering ‘no-win no fee’ with the question, ‘Was your personal data leaked?’ If you remember the PPI frenzy, it might concern you.
There are specifics in the search results, such as ‘NHS data breach claim’, and, despite the ICO not being able to award compensation, ‘ICO data breach compensation’. However, the ICO has a role to play in such matters. Without naming any companies, in November they fined one £125 million following a major data breach, which included payment card details. Rumours suggest a number of group-actions are being considered. Whether this is true or not is immaterial. The point is, it is possible.
It’s a double-pronged threat to any SME with considerable data on email marketing list which might be seen as valuable to other interested parties. On the one hand, there are the regulators who are able 
to impose eye-watering fines, up to a percentage of gross turnover. That alone would be bad enough. Then there’s the dreadful publicity associated with such fines.
On top of all that, we have the risk of considerably higher costs of civil actions for damages. If you look at individual payments awarded, some in the low thousands, it doesn’t look particularly damaging. Even the awards for more serious breaches, the most frequently reported being £12,500 each to two asylum seekers, you might think you could survive. Our problem is the sheer number of subscribers we have on our email marketing lists.
It’s not a simple case of counting the number of subscribers who have had their data leaked in some way and then multiplying it by an average of £7000 or so. It’s a bit subtler than that. That said, their unpredictability is the only thing we can be sure of with civil courts.
You must protect not only your data but your company as well. The GDPR states that data should be, ‘processed in a manner that ensures appropriate security of the personal data . . . using appropriate technical or organisational measures.’ It goes on to suggest, in précis form, that there is no individual limit to each claim, and that circumstances surrounding the breach should be considered. Go to https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/ for the full details. It is essential to read the ICO security pages.
A conviction by the ICO for a data breach will ease the passage of compensation lawyers as most of their work would have been completed, although this can work for us. If we suffer a data breach and the ICO looks into it, after we’ve promptly told them of our concerns, as we are obliged to do, and we can show we complied with the advice on their website as regards security, any penalty is likely to be less severe. It could go for compensation claims.
Take care of your email marketing list data, and not only for your own purposes. Keep your security as high as possible, and be able to demonstrate how responsible you’ve been.
