Is GDPR the New PPI Class Action Waiting to Happen?

London, 20th March 2018 – The General Data Protection Regulation (GDPR) could take over from the Payment Protection Insurance (PPI) scandal as a new outlet for claims companies to make money, says Fifth Step CEO and GDPR author Darren Wray.

PPI was mis-sold to 34 million UK policyholders in the UK when it was ruled in 2011 that claims could be made to claw back the money. More than £40 billion in compensation has been paid out since 2011. The window for claiming PPI is closing after August 2019 when the industry will need a new revenue stream to stay solvent. The next big thing for these claims companies could be GPDR class actions.

Wray says: “With a class action suit, it’s a major challenge for an individual to make their case heard so claims companies do it on their behalf. More than 10 million people have pursued PPI claims so GPDR class action claims could be the way forward for claim companies, which is a scenario that has been laid out to me by recent conversations with some eminent legal professionals. All it will take is a few tweaks to implement a new type of process and some conversations with legal partners to smooth the path to arranging suits. The timing is right, the people are already in place and the motive is there. The only question to ask is: ‘why not go for it?’

“There are many organisations around the world whose GDPR readiness is at a significantly lower level than it should be with less than 70 days to go so it makes it incumbent on directors to exercise reasonable care both in the execution of their duties related to GDPR, but also conveys a duty of care upon the director over the organisation. This requires that the organisation and director have effective risk management systems in place.

“Where does this leave carriers, managing agents, MGAs and brokers? In many respects if you haven’t started yet, you need to start right now. Managing agents, MAs and brokers in particular are likely to be more exposed and are likely to be collecting and processing far more personal data that they think. I’m often asked what my advice is to companies who are behind with their GDPR project. My answer is pretty simple, with the timeframe you're probably going to need some extra help and support from people that have done this a number of times before.

“The other question is: ‘To DPO or not to DPO?’ Firms that process more than 5,000 records of personal data, or those who process personal sensitive data must have a Data Protection Office, or use a third party service (such as the one provided by Fifth Step). Always be improving, GPDR really isn't a one and done project, every change project from now on will have to have a GDPR compliance check.”

Darren Wray is the CEO of Fifth Step, who are helping all parts of the insurance sector to be GDPR compliant, from their offices in London, Bermuda and New York. For more information about GDPR and Fifth Step visit www.fifthstep.com.