For anyone responsible for monitoring GDPR and the breach notification requirements, I wanted to call out an interesting matter that was summarized in a recent IAPP blog post. A UK-based company recently had a large data breach and complied with the 72-hour notification requirement, but now finds itself facing a potential "class action" lawsuit seeking damages equating to the maximum fine under the GDPR and citing Article 82, the "right to compensation and liability." It will be interesting to see if this goes through and if we see more of these types of suits.
A link to the full Paul Jordan IAPP post is available here on iapp.com »
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.