Meet the expert: Henry Davies to speak at #RISK London

Henry began his career in data protection as an analyst with Veolia UK & Ireland. He progressed in the role rapidly and developed his sector experience before joining Likewize as Data Protection Lead earlier this year. 

As data protection-related class action cases intensify, Henry will speak on a panel at #RISK London to explore how such lawsuits start, the challenges they present, and what organisations can do to avoid them.

Prior to his talk, Henry described his professional journey so far and gave us the lowdown on this crucial issue.

Could you outline your career pathway?

I was coming to the end of my Politics degree and was looking to start a career in anything other than politics. An opportunity as a Data Protection Analyst with Veolia UK & Ireland presented itself and I decided to take the plunge. 

John Hield, the Data Protection Officer, gave me a chance and I found myself in a career that I absolutely loved. Keen to take on more responsibility, my role expanded to Deputy DPO, and I started to take on significant projects including implementing and managing the certification to ISO 27701 (Privacy Management) for the business. 

I joined Likewize in May this year as the Data Protection Lead. The business was keen for me to refresh their data protection compliance programme, and I am the point of contact for all data protection issues in EMEA, whilst also providing ad-hoc support to the APAC region. 

For me, hands-on experience comes first and qualifications come second, underpinning that experience. However, professional development is important to me and in 2021, I was awarded a distinction in Postgraduate Certificate in Data Protection Law and Information Governance. I took the programme onto the next stage and this year was awarded a distinction in the Postgraduate Diploma in Information Rights Law and Practice. I am now undertaking the final stage of the programme, by completing a 15-17,000-word thesis for the full Masters, with a focus on data protection and employment. I also hold the CIPP/E certification.

What’s behind the rise in the number of data protection-related class action cases?

Since 2018, we’ve seen a major rise in the number of opportunistic firms turning to the “Data Breach Claim” business model. I suspect, with the end of the PPI claim window in 2019, there was suddenly a gap in the market which lots of firms believed the GDPR would be the answer to. 

It seems that every time there is a serious incident in the media, within hours adverts are being pushed to people’s social media platforms, enticing them to make a claim. When you combine this with a (slowly, but steadily) growing understanding from the general public of what their rights are, and what organisations’ obligations are, we have been faced with what some would consider a perfect storm.

However, the Supreme Court ruling in Lloyd v Google showed that the class-action model for data protection claims will be very hard to pursue. The decision (in a nutshell) means that “loss of control” was not enough to award damages, and that each individual claimant would need to have suffered distress and prove as such. Whilst this case was under the DPA 1998, the judgement is still being considered in cases under the new regime. 

What lessons can businesses take from some of these cases to improve data protection processes.

For me, the first lesson is that data protection isn’t out to get them. Anyone who has told you otherwise was likely trying to sell you something. With this in mind, as professionals we should be trying to shift the conversation out of the negative and into the positive. 

Businesses should stop thinking about data protection compliance as a fine- / lawsuit-avoiding exercise and start to see it as a (compulsory) framework for conducting business responsibly, and as something that their customers genuinely care about. 

What we’ve seen so far from class-action claims is that they are predominantly focussed in the cyber/digital areas (as you would expect), so engagement with your IT team is essential, as well as meaningful investment in cybersecurity people and tools. 

However, the highly publicised class-action against TikTok in the UK, which has now been dropped (in part, due to the result of the Lloyd case), was actually focussed predominantly on transparency and consent. As such, organisations should be aware that the right to compensation is not limited to personal data breaches. 

Article 82 makes it very clear that data subjects who suffer a “material or non-material damage as a result of an infringement” of the law are entitled to receive compensation i.e. not complying with the UK GDPR to the detriment of the data subjects may lead to claims, even if no data is breached.

What are some of the principal challenges that organisations need to overcome to avoid class action lawsuits in future?

Organisations should always be considering their governance, risk and compliance framework and measuring its effectiveness. This should obviously take a risk-based approach. If you’re a small company processing simple data for a handful of customers, then your measures will be less extensive than that of a global health conglomerate!

Irrespective of size and complexity, you need to be aware of what and where your risks are. Ignorance is not bliss. You must be able to identify, assess and manage your risks; both at a high level and at a more granular, operational level. To do this, it’s important that risk is seen in a holistic way. Where you may have different functions within your business holding different risk registers, there needs to be someone / something collating these risks and thinking about the crossovers. Risks around theft and security may also pose a risk to the security of data. Risks around fire or natural disaster may also pose a risk to integrity and availability of data. Breaking down silos is a massive challenge, and often requires a significant shift in culture.