A leading authority on EU data compliance has warned companies to guard against a “last-minute scramble” to comply with new draft data legislation expected to take effect by mid-2017.

Failure to comply with the General Data Protection Regulation (GDPR) could lead to fines of up to €100m (£73m) and open PPI-style compensation floodgates, claimed Jeremy Whitaker, chairman of Verso Group.

The forthcoming data law, which has been watered down after lobbying from the UK, Germany and France, is now a fait accompli, according to Whitaker, and requires consumers to give “proven” permission for their personal behavioural and preference data to be used except where anonymised.

Permission will need to be obtained when adding consumers to a database, or sending marketing communications, and consumers will have the right to have their data removed.

“Not being GDPR compliant is a high-risk gamble not only in terms of punishment but also in damage to brand equity. This could create a compensation trend similar to that of PPI,” Whitaker said.