Why Organisations Must Act Now on Data Protection Compliance: Lessons from Farley v Paymaster
Posted on in Data Protection
The recent Court of Appeal decision in Farley and Others v. Paymaster (1836) Limited has sent ripples through the data protection landscape in England and Wales. By confirming that claimants (someone complaining of a data breach) can recover compensation for fear of the consequences of a data breach, without any threshold of seriousness, the judgment significantly raises the stakes for businesses handling personal data.
What is a personal data breach?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data (https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/)
How can claimants recover data subject compensation?
A claimant can issue proceedings in Court. They should identify a legal basis, for example, the GDPR, which gives a claimant the right to claim compensation from an organisation if they have suffered damage as a result of it breaking data protection law. This includes both “material damage” (if they have lost money, for example) or “non-material damage” (if they have suffered distress, for example).
What are the key facts of this case?
In Farley, the respondent (the party defending the claim) was acting as an administrator for the pension scheme covering Sussex Police. In late August 2019, the respondent sent Annual Benefit Statements (‘ABS’) by post to members of the scheme, which included further personal information, including the date of birth, and national insurance number of the scheme member, and pension-related details, including their police service, salary details, and their accrued and forecast pension benefits. The problem was that in excess of 750 ABS were posted to out-of-date residential addresses.
A substantial cohort of affected officers instructed solicitors who wrote a letter of claim. The respondent admitted that there had been a data breach and that the officers were “entitled to pursue the [respondent] for loss, damage and/or distress allowable at law”. The respondent’s case was that the claimants did not plead a reasonable basis for claiming compensation for fear of what might happen with their personal data being breached (“the fears and concerns referred to ... are entirely irrational”.)
The Court of Appeal rejected the long-assumed requirement for a 'threshold of seriousness' in claims under the GDPR and Data Protection Act 2018. Previously, cases suggested that trivial data protection claims could be struck out. Farley departs from this approach.
The court emphasised that fears of data breach consequences must be objectively well-founded, but even non-material damage (such as anxiety or distress) can now justify compensation.
Did the Court provide guidance in relation to what would be considered ‘well-founded’ and what would not?
The Court established that the viability of a compensation claim resting on fear depends on whether the alleged fear is objectively well-founded, distinguishing it from fears that are "purely hypothetical or speculative". Lord Justice Warby set out that:
· “The fact that these appellants [claimants] cannot prove that their ABS were opened and read does not of itself show that the fears they entertained were not well-founded.”
· “The test of reasonableness cannot depend on hindsight. It must be applied with reference to the facts and matters that were or should have been known to the appellant at the time they experienced the stated fear.”
Although the Court concluded that the determination could be made at this stage, it declined the application to carry out that exercise itself. Consequently, the respondent’s application on this point was remitted to the High Court for determination.
Why does this decision matter for organisations handling personal data?
For businesses, this ruling is a wake-up call. The absence of a seriousness threshold means that even minor breaches could lead to costly litigation. Beyond financial exposure, reputational damage and regulatory scrutiny can follow. Organisations can no longer rely on the argument that a breach was too trivial to matter, that it does not give rise to compensation.
What do we know about the costs incurred and/or resources required for dealing with data breach complaints or litigation?
Jessica Whittick, Specialist Data Protection Solicitor, explains that “Responding to a data breach isn’t just a technical fix; it’s a legal, financial and reputational challenge that can drain resources across an entire organisation. The true cost of a data breach often lies not in the initial incident, but in the litigation, regulatory scrutiny, and long-term exercise of rebuilding trust that follows.
Every data breach complaint/litigation is a reminder that data compliance is compulsory, and being empowered by the legal landscape by being one step ahead with proactive compliance is a frontline defence against costly legal exposure.”
What are some key practical steps to address compliance?
To avoid data breaches and to mitigate the risk of complaints and litigation, organisations should:
- Reflect upon the ICO’s data on the most common types of data breaches. Contrary to common belief, they are not sophisticated breaches!
- Conduct regular data protection audits to identify vulnerabilities.
- Implement robust incident response plans, ensuring swift action when breaches occur.
- Train employees on legal compliance, emphasising the importance of accurate data handling.
- Review contracts with processors to ensure clear accountability and compliance obligations.
- Maintain transparent communication with data subjects and regulators in the event of a breach.
- Implement a standalone data protection complaints procedure before the new Data Use and Access Act changes come into effect.
Conclusion
The Farley decision underscores that data protection compliance is not optional or reactive – it is required by the law and a proactive business imperative. By investing in compliance now, organisations can avoid costly claims, protect their reputation, and build trust with customers in an era where data is both an asset and a liability.
How Tozers can help
At Tozers, we understand the complexities of data protection and the importance of staying ahead of regulatory changes. Our team of legal experts is equipped to guide your organisation through the intricacies of compliance, ensuring that you not only meet current legal requirements but also anticipate future challenges.