Inspiring Business by Sharing Success



It will soon have been three years since GDPR was introduced in the UK, after coming into effect in May 2018. During those years, law firm Nelsons has seen a consistent increase in the number of enquiries it has received relating to GDPR breaches, in particular, how professionals such as GPs and social services approach confidential data.


A solicitor specialising in data protection claims at the East Midlands law firm is now warning people to make sure they are aware of their rights when it comes to GDPR and what they can do if damage is caused as a result.

Kevin Modiri, partner and solicitor at Nelsons, said:

“The GDPR, which stands for General Data Protection Regulation, is the toughest privacy and security law in the world. At its core, it’s a set of rules – made up of 99 articles – designed to give people more control over their personal data with the risk of harsh fines and awards of compensation against those who violate its standards and regulations.

“GDPR is still a relatively new law and, since it was brought into effect in May 2018, we have received enquiries from potential clients with questions relating to how organisations can handle their data and also from organisations enquiring how best to comply with their obligations.

“While GDPR’s article 16 states that people have the right to rectification of incorrect data and have the right to erasure or to be ‘forgotten’ in article 17, there are some exceptions to this – medical records, for example.

“At the moment, we’re seeing a lot of crossover when it comes to defamation linking to data breaches. Therefore, it’s crucial for people to understand their rights when it comes to GDPR and what happens if a data breach has taken place.

“However, it’s also of paramount importance that organisations that are handling data are given access to adequate training with regards to GDPR and how they should approach and manage situations similar to the above to avoid heavy financial penalties.”

What constitutes a GDPR breach?

“There are a number of potential scenarios and ways in which a GDPR data breach can manifest itself, including records containing inaccurate information, data that has been lost or leaked, or the disclosure of data to third parties without lawful consent or lawful authority for doing so.

“Let’s look at medical records as an example. Take a patient who has confided in their doctor for a number of years about concerns over their alcohol intake but no action has been taken other than the notes recorded during appointments. The same patient then sees a different GP at the same practice and again mentions the concern about drinking, which in turn results in that doctor writing a letter to the DVLA telling them the individual has a drinking problem and that they shouldn’t be allowed to drive.

“In this scenario, the GP should have followed the procedure of speaking with the individual and recommending they inform the DVLA themselves. However, as the GP bypassed the patient to approach the DVLA and share that information without consent, this is a clear breach of the patient’s data and is an example similar to those presented by many clients who have approached us for legal advice.

“Another example is where social services have inaccurately maintained their records relating to a child with the effect that the child is removed from the care of an innocent parent. Given how many different case handlers tend to be involved over the course of an investigation, this sort of scenario is extremely possible and indeed we have had enquiries in similar circumstances.

“As social services incorrectly maintained their records, this is potentially a breach of GDPR and therefore the individual potentially has a valid claim.”

Are there any circumstances where GDPR does not apply?

“Yes there are. GDPR was and is European legislation. Notwithstanding us leaving the EU, GDPR is incorporated into the laws of England and Wales by virtue of the Data Protection Act 2018 (DPA) and therefore is here to stay. Schedules two, three and four of the DPA set out a number of exemptions to the applicability of GDPR. By way of example, there are certain exemptions relating to the prevention and detection of crime and also in respect of taxation.

“An obvious practical example that springs to mind is the operation of the Money Laundering Regulations, which places an obligation on those regulated by those regulations to make a report about their clients in circumstances where there is a suspicion of money laundering.”

What should I do if my data has been breached?

“If a person’s data is unlawfully or negligently held or mishandled, this breach could have serious personal implications for the individual involved. If this happens, the victim may be able to make a claim for compensation due to the damage and distress the data breach has caused them.”

“The amount of compensation that can be awarded for a data protection breach claim varies depending on the damage that has been caused. With successful claims, the compensation that is awarded is intended to put a person back in the position they were in prior to the data breach occurring.”

“GDPR is a complex and sometimes daunting thing to understand, so it’s important you speak to a solicitor if you think you have been affected by a data breach.”

For more information on how Nelsons can support with breach of data protection claims, please visit:

< Back