Companies and charities who make nuisance calls or are careless with personal data could face fines of billions of pounds under new rules that give victims greater powers to fight back.
The new legislation is part of an EU crackdown about misuse of data and will be binding despite Brexit.
One official claims the fines will be so huge it will be a ‘game changer’.
The general data protection regulation, which will come into force next May, will improve people’s opportunities to sue companies for pestering them if the information held on them is out-of-date or unnecessary and causes distress or harm.
That could cover, for example, relatives mourning the loss of loved ones who have died since the data was first found.
It also ramps up the penalties – stipulating that fines should be as high as four per cent of an organisation’s turnover.
Eleven charities were last week fined a total of £138,000 for misusing data, but the new rules would push such penalties into millions.
Mobile communications firm Talk Talk were told to pay £400,000 last year after their systems were hacked - but an equivalent punishment under the incoming system would rise to £73million.
Tesco Bank’s potential fine for last November’s attack by hackers on 40,000 customers’ accounts would, under future guidelines, hit £1.9billion instead due to their £955million annual turnover.
Lawyers describe the potential impact as ‘PPI on steroids’, after firms offering unnecessary Payments Protection Insurance were made to pay back millions in fees that were wrongly levied.
Dean Armstrong QC, from London-based 2 Bedford Row, said: ‘This is going to dwarf any of the amounts we’ve seen before.
‘If you give your personal data to any organisation they need to look after it with respect and a priority that too many are neglecting at the moment.
‘To say this changes the landscape is an under-statement.’
Not only should individuals be able to make applications for damages against companies they accuse of wronging them, but class action lawsuits are also expected.
Mr Armstrong suggested what he called ‘GDPR bounty-hunters’ could crop up, firms offering to pursue damages for people just as PPI claimant companies have come forward.
Organisations found to be in breach of the new regulation also risk being heavily fined as well.
Britain’s information commissioner Elizabeth Denham has been among the main drivers behind the new regulation, several years in the planning.
And the UK will remain bound by it despite Brexit, officials have insisted - although the commissioner’s office is always pleading with the government for more staff as they take on extra powers.
Her office issued total fines of £1million last year but she expects that figure to soar in the years ahead.
She said: ‘Make no mistake, this one’s a game changer for everyone.
‘Consent will need to be freely given, specific, informed and unambiguous, and businesses will need to be able to prove they have it if they rely on it for processing data - a pre-ticked box will not be valid consent.’
A recent government survey found only half of businesses had taken action to identify cyber-risks, while an ICO poll found three out of four people did not trust firms to handle their personal information properly.
Charities are being warned they face especially hefty losses, both in fines for misusing personal data and also drops in donations as they face new restrictions on fund-raising.
The New Philanthropy Council think-tank has been urging the voluntary sector to get their act together ahead of the new rules.
NPC development director Tris Lumley said: ‘I don’t think anyone’s saying you shouldn’t collect data but charities need to be more efficient as well as effective.’
He also warned that charities must do more to protect the data of not only donors but also the people they help, whose personal information is too often neglected.
Aid agencies are expected to make changes to their systems to ensure donors must actively ‘opt in’ rather than find themselves automatically signed up to email and phone communications.
‘There’s lots of work to be done but charities are certainly increasingly aware on the fundraising side - there are lots of signs they’re working hard to be compliant.
‘But there’s less so when it comes to beneficiaries, the people who are actually receiving services and support and have information held about them.
He suggested the new rules could be a good thing for charities, forcing them to improve their data protection while also making the most of their potential support.
But he added: ‘A lot of organisations will be seeing a potential reduction in their fundraising income from moving to an opt-out to opt-in model - but then that could lead to a better relationship with their donors.
‘This will at least raise awareness of data protection and its importance, there’s no two ways about that.
‘Public trust and confidence in charities is something that’s coming under increasing scrutiny and GDPR will only bring that into further focus.
‘There are possible costs either way - they go hand-in-hand.’