Inevitably it will transpire that mistakes will have been made by professionals giving (often very expensive) guidance on GDPR compliance. Their clients will want to consider whether a claim for professional negligence can be made. In this article Neil Hext QC, Stephen Innes and Helen Evans of 4 New Square discuss some of the issues which are likely to arise in such claims.
Standard of care
Much of the advice which is being obtained in relation to GDPR is from lawyers. In that situation, the standard of care required is straightforward: the reasonable care and skill of the solicitor or barrister, although there may be some scope for argument as to the level of specialisation expected. Is it the reasonable care and skill of a commercial solicitor, or is it that of the solicitor specialising in information/data protection law?
In many cases it will be the latter, because of the way that advisers have been holding themselves out as specialists: see Jackson & Powell on Professional Liability, 8th edition, §11-101. Sometimes the specialism can be really quite precise, as recently in Agouman v Leigh Day  EWHC 1324 (QB) where it was that of ‘a reasonably competent firm with a department specialising in group litigation for unsophisticated clients arising from events in a poor and unstable African country’.
The position could be more difficult where the advice has not been given by legal professionals. Many have been advertising their services as ‘GDPR consultants’. By what standard are they to be judged?
If, although not lawyers, in fact they have strayed into giving legal advice, it is suggested that they will be judged by the standards applicable to the legal profession: Jackson & Powell, §2-137.
But if they have not given legal advice, can they be judged by the standard of ‘the reasonably competent GDPR consultant’? That would entail expert evidence from other GDPR consultants, but as these are not necessarily a part of a homogenous group, and as this specialism has sprung up relatively recently, it may be challenging for such an expert to give the requisite evidence of the accepted standards in the profession, rather than the (inadmissible) evidence of what he/she would have done differently.
Breach of duty
We will have to wait and see what specific errors come to light. Errors are inevitable, because of the length, complexity and opacity of the Regulation.
There may be cases in which the ICO or the courts adopt an unexpected interpretation of a particular provision, in which case it may be possible to argue that the interpretation placed on it by the adviser, although subsequently shown to have been incorrect, was not in fact negligent.
But equally, the complexity of the Regulation may mean that the adviser has a duty to put forward competing analyses as possible outcomes. The question of when a professional person owes a duty to advise that there is a risk that his or her advice is not right has been a recent hot topic, see:
Causation, mitigation and loss
There will be enormous scope for arguments about causation and related principles.
Organisations may have to make decisions between (i) a strategy or policy which is most likely to be GDPR compliant but does not fit at all with their operational model, and (ii) one which suits their business much better but which does not give quite the same certainty on compliance.
If the decision can later be seen to have been the wrong one, will that organisation be able to prove that differently advised it would have taken a different decision?
Where enforcement action is threatened or taken, such as regulatory fines being imposed, we anticipate that many of the same issues will arise as are frequently encountered in claims against accountants and auditors. For example:
The sorts of innovative steps that can be taken were illustrated recently in PML v Persons Unknown (responsible for demanding money from the Claimant)  EWHC 838 (QB), where Nicklin J granted an injunction against unnamed hackers, which could then be used to prevent third parties publishing the information.
Issues are likely to arise too under South Australia Asset Management Corpn v York Montague Ltd  AC 191 and BPE v Hughes Holland  UKSC 21, which raises the familiar distinction between the professional who provides information and the professional who gives advice and is therefore responsible for wider consequences of that advice being wrong. In this area there could be real risks for GDPR professionals: many of the advertisements we have seen do not merely offer information about the requirements, but promise to assist clients in ensuring GDPR compliance, and the consultants may be deemed to be ‘guiding’ the businesses on how to conduct themselves.
It will probably take some time for the problems to start coming to light, as there will be a strain on the resources of bodies such as the ICO in taking enforcement action; so the first legal cases will take some time to work their way through the litigation process. In years to come, limitation arguments will arise.
Claimants will argue that they only suffered damage to found the cause of action in tort for the purposes of s 2 of the Limitation Act 1980 when the ICO imposed the fine on it, or when it had to agree to pay compensation to the client.
But that is a difficult argument because the likelihood is that, following cases such as Forster v Outred & Co  1 WLR 86, the claimant will probably have suffered damage at the time when it put in place practices which have proved to be defective; that is the point at which its potential liability arose.
Of course, as with so many claims against professionals, s 14A of the Limitation Act 1980 may come to the rescue, giving the claimant three years to bring a claim from the date of their relevant knowledge.
But one of the features of GDPR so far has been the extent to which the threats and challenges have been well publicised in the national press and through channels such as LinkedIn and Twitter. It is to be anticipated that enforcement decisions, successful claims for compensation and so on will be similarly well publicised.
Thus there will be arguments that even if a claimant was not itself the subject of enforcement action at the time, it ought to have been alerted to a potential problem because it should have considered the reports of difficulties encountered by other organisations which had been advised by the same consultants, or which had adopted the same practices.
Neil Hext QC, Stephen Innes and Helen Evans are barristers at 4 New Square: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org