Frequently Asked Questions

The instant a GDPR rule is not followed (for example when a Privacy Notice is not given or is defective, not in the right format or not given at the right point in the flow) an individual is automatically eligible to claim for financial compensation.

Huge organisations such as Google have been sued for significant sums, because they failed to provide the right kind of notice at the right point in time. Google have already lost a similar case back in 2015; the Court of Appeal was against them so they took it to the Supreme Court then confidentially settled before judgement because they knew they would lose, and the financial ramifications would have destroyed them.

The principle and position of this case applies to all businesses. If they failed to follow even one of the 99 GDPR rules, they have given the claims away to every customer they hold data for. All the customer now needs to do is to bring a claim against the business.

By bringing GDPR legal knowledge and accounting principles together, the team at CTR will look at a business’s GDPR compliance procedures and documents and produce an in-depth report that identifies the breaches and quantifies the financial risk to the business. The report can then be used to add a data risk provision for this risk to the business’s annual accounts.

In accounting, provisions represent funds put aside by a company to cover anticipated losses in the future. In other words, a provision is a liability of uncertain timing and amount. The data risk provision can be used by eligible companies to provide a safety net to cover the cost of compensation claims that company has exposed itself to via historic non-compliance with the GDPR and other data privacy legislation.

Statistics from the Government show that every business will, on average, be cyber-breached in a two-year cycle. Under GDPR the business has to self-report and tell its customers – each customer then has a claim. Breaches are a fact of life and carry huge cost for the business. We know many that have been breached multiple times.

In the same way that banks provided for claims for PPI mis-selling in their accounts, businesses can provide for claims relating to GDPR breaches.

It reflects the likely level of claims and costs a business faces because it is not GDPR compliant.

In accounting terms, it reduces the amount of profit on which you pay tax as a business. It does not reduce the amount of cash in the business, just the amount going out in tax.

As the GDPR rules changed in 2018, and because HMRC will allow you to amend the last two years tax returns, CTR can work with you to determine the level of your provision and mitigate it from current corporation tax due, or recover it from past corporation tax paid - where applicable.

Not necessarily. To do that the entire provision would have to be released. As GDPR is an ongoing issue and no business can become 100% compliant, that is not prudent.

For example:

• It is going to take time to fix the historic breaches, and they will never be fully dealt with, so some level of provision should always be retained.

• All businesses are always going to be subject to cyber-attacks (that give rise to associated claims); and

• Businesses will always get something wrong in relation to the 99 GDPR rules, because of their complexity.

They should, therefore, be reviewed annually, and it is likely that some level of data risk provision should always be kept. If this is kept at a level which means the initial corporation tax recovered is never brought into account, that is a matter of judgement.

A company’s value is traditionally calculated from its revenue, reputation, market conditions, prospects and growth history. One factor that is regularly forgotten is its adherence to data privacy laws, but they can have a huge effect on the value of the business and even its saleability.

CTR can calculate the value your data security is having on your company's valuation, the losses you could potentially face, and provide you with the means to improve that valuation.

A survey of 500+ Mergers & Acquisitions practitioners across Europe, the Middle East and Africa by Euromoney shows that 55% of M&A transactions had not progressed because of concerns around a target company’s data protection and compliance with GDPR. 

The answer is – not at present. Even if you could, the insurer would want proof that you are GDPR compliant, or they could refuse to pay out.

By definition – if a GDPR claim is being made against you then you are not GDPR compliant. You can get cyber-security insurance, so if your systems are breached the insurer will pay for IT help and business interruption, but in our experience, they will only pay if you can show that you were GDPR compliant in the first place. If 1,000 customers sued for £5,000 each, would they pay that £5 million bill when your premium was £2,000?

The level and severity of breaches we identify while assessing your business will affect your path to compliance. You will receive a report identifying the areas you need to improve. Many businesses are able to implement these changes themselves prior to their annual review, others choose to employ a third party to handle their remediation. CTR will discuss the best options for you business with you when we have completed our assessment and report.

Our fees are only due only when HMRC have accepted your data risk provision in to your account. We will then invoice for our consultancy service which is both tax and vat deductible.