UK GDPR Case Law & Accuracy Principle — Legal Crowd Funder

Alastair Majury
5 min readJan 21, 2021
Copyright Compliance Junction

GDPR has been with us for a number of years now, and there are six key principles of GDPR that data processors, (mostly companies) need to folllow.

TL;DR — Please donate via in order to help ensure that companies, like CapGemini UK Plc, will process data accurately and otherwise follow the key GDPR principles.

However, as we know whilst some and hopefully most firms will obey the law without the likely threat of penalty this is not the case in all cases.

Whilst GDPR has been around for a number of years now, there are still only a few GDPR cases in order to help clarify the law.

Let us have a look at these.

The largest fine to date is currently the £183 million penalty (equivalent to 1.5% of BA’s worldwide turnover) awarded to British Airways by the ICO in July 2019 for failing to adequately protect its customers from a cyber attack where hackers stole the personal data, including bank details of 500,000 customers. The airline was targeted between 21st August and 5th September by a group of hacked that had carried out previous cyber-attacks on Ticketmaster in June 2018. This stands out as the pivotal ruling by the ICO that the days of a cool half a million for the most serious data breaches are over.

In a swift one-two boxing combo, the ICO dished out its second largest fine to Marriott, the international hotel group, the day after BA received its record-breaking fine. Marriott was fined £99 million after hackers stole the personal data of 339 million customers globally, including 7 million in the UK. In Marriott’s 2016 acquisition of Starwood hotels group, Marriott inherited Starwood’s weak IT system that left customers vulnerable to hackers. Both BA and Marriott say that they will appeal the ICO’s decisions.

Across the Channel in France, Google was fined €50 million by the French Commission nationale de l’informatique et des libertés (CNIL) in January 2019. Google was caught out by GDPR as Google as it made it too difficult for users to be able to opt out of data-processing in the personalisation of adverts. Nevertheless, €50 million is a fraction of the possible €4 billion sum that is the maximum penalty that CNIL could impose and thus the case, whilst a key milestone at the time, has been overshadowed by the fines imposed on BA and Marriott.

Equifax was also fined £500,000 in September 2018 by the ICO after a cyber-attack left the personal data of 146 million people around the world and 15 million people in Britain. The credit rating agency had ignored warnings about a “critical vulnerability” in its systems and despite being headquartered in the US felt the full force of the old Data Protection Act 1998 as its UK branch was liable for the failure of its American HQ to protect its British customers.

Another curious lucky escapee of GDPR has been the Pregnancy club Bounty UK who were fined £400,000 by the ICO in April 2019. The ICO found that between June 2017 and April 2018, Bounty UK illegally shared personal data onto third parties (Acxiom, Equifax and Sky) for marketing purposes without notifying the 14 million people who had their data passed on. The data being shared was harvested from potentially vulnerable new mothers or mothers-to-be and their children and it included details such as young children’s date of birth and gender.

So currently there is no case law, that indicates to companies that they must honour the accuracy principle of GDPR.

For example: CapGemini UK plc infringed the accuracy principle of GDPR in 2019, resulting in the loss of paid work for me, that was scheduled to last until December 2020, and potentially longer.

This fundraiser will raise funds in order to pay for a Barrister to take on CapGemini UK plc and help to ensure that firms know that they must follow the GDPR principles, and that there will be consequences if they don’t.

There is at the moment limited case law with respect to GDPR, other than mass data breaches. So this will be an important case, to help ensure that firms know that they must hold accurate data, as well as ensuring it is not breached.

CapGemini UK plc’s defence to date relies on ignoring what their own e-mails around the time of the inaccurate data being communicated, and indeed contradicting these facts in their version of events, along with the view of their own HR team from after the event.

However, they are refusing to accept that this means that they must pay the damages resulting from their inaccurate processing.

Resulting at the time of the publishing of the linked article, two unpaid CCJs. -Capgemini UK Plc’s CCJs — £248 & £59,289 owed

We have the opportunity to create case law, that will help send a message to companies that they must accurately process the personal data of people or otherwise pay the consequences.

There is a Crowd Funding fundraiser raising funds in order to help pay for a Barrister to help legally force CapGemini UK plc to recognise what their own internal e-mails from the time and shortly afterwards say, this would also help set case law, so that other companies know that they must honour GDPR including the accuracy prinicple.

Please consider donating to Help CapGemini Honour GDPR

Alastair Majury Chartered MCSI, is also a director of Majury Change Management Ltd is a highly experienced Senior Business Analyst / Data Scientist with a proven track record of success planning, developing, implementing and delivering migrations, organisational change, regulatory, legislative, and process improvements for global financial organisations, covering Retail Banking, Investment Banking, Wealth Management, and Life & Pensions.

For several years now, Alastair has worked extensively with a variety of financial institutions in order to offer the utmost comprehensive services. As a data scientist/business analyst, Alastair Majury Chartered MCSI is expected to find intuitive and sensible solutions to complex problems.

As a data scientist/business analyst, Alastair Majury Chartered MCSI has worked closely with several high-profile businesses, such as BNP Paribas, National Australia Bank, Standard Life and the Royal Bank of Scotland Group.​A graduate of University of Glasgow, Alastair Majury Chartered MCSI earned his M.A. in Economics with Business Economics. Since then, Alastair has undergone several training sessions and earned multiple certifications for a variety of skills. More specifically, he has earned certifications in IAQ, risk management, resource management, and a bevy of other areas. ​Alastair Majury thoroughly enjoys his work.

What excites him most about being a data scientist/business analyst is that every problem has a variety of solutions. This allows for a great deal of creativity on his part. Providing ingenious solutions to his customers’ problems provides a great deal of satisfaction to Alastair Majury Chartered MCSI. Every single day can be a new and challenging problem.​

Although he is a fierce and determined worker, Alastair also manages to find free time to embrace his hobbies and interests. Alastair is a major proponent of philanthropy and charitable endeavors. He constantly finds new and exciting ways to promote charities and philanthropic organizations in his community. He also tries to donate time and funds to said organizations whenever he can. Alastair Majury Chartered MCSI firmly believes that if we all work together towards a common goal, we can find peace.



Alastair Majury

I am a Chartered Member of CISI, which is the UK’s leading securities and investment professional body. Alastair Majury resides locally in Dunblane.