Recent changes in the law mean that you are in a better position than ever to claim compensation from those who breach your data and cause you harm. If this happened to you, this article will explain the question – how do I report a data protection breach?
In 2018 the law changed around data protection. The introduction of the General Data Protection Regulation (GDPR) means that any organisation, company or agency that collects your data must do so for specific reasons and handle it with care. These laws are upheld by an independent organisation called the Information Commissioners Office (ICO) that has tremendous power to enforce compliance and issue fines if your data is not handled properly.
Breaches in data protection can cause all manner of problems for the people they affect. It’s so much more than just a few unwanted spam emails or text alerts you did not sign up for. A data breach can result in your entire identity being stolen and if you have been touched by issues like this, you may be wondering what you can do.
If you have questions you’d like answered right now, please feel free to contact our team. We specialise in helping people clarify their options around launching data breach claims and can connect you with a data breach solicitor from our panel within minutes.
Simply start your claim by calling our team direct on 0161 696 9685 or writing/emailing us at Legal Helpline. You can also use the ‘live support’ option, bottom right to get on the spot guidance about reporting a data breach.
Select A Section
- A Guide On How To Report A Data Protection Breach?
- What Are Data Protection Breach Claims?
- How Do I Know My Data Privacy Was Breached?
- What Data Protection Breaches Could I Report To The Information Commissioner?
- How Do I Report A Data Breach To The Information Commissioner?
- What Information And Evidence Does My Report Need To Include?
- What Happens When I Report A Data Protection Breach?
- How Long Do You Have To Report A Data Breach?
- Calculate Compensation After Reporting A Data Protection Breach
- Material And Non-Material Damages You Could Claim Compensation For
- Make A Data Protection Breach Claim With A No Win No Fee Solicitor
- How To Get Help From A Data Protection Breach Solicitor
- Speak To A Solicitor About Your Claim
- Frequently Asked Questions About Reporting A Data Breach
- Where To Learn More
Every day our personal information circulates on the internet. We consent to much of its use. Each time we buy something online, use social media or send an email we are now presented with options about how we want that information to be used. This is thanks to GDPR.
In this article, we explain the principles of good data protection and the action you can take if it was exploited. We also look at the new laws which have done much to tighten up data use too.
A case called Vidal-Hall v Google changed the position of the law to allow people to claim for mental damage even if they haven’t suffered financial harm. Previously, it was necessary to prove you had suffered financial harm as well, but the Court acknowledged that data breaches can create a tremendous amount of mental anguish.
It’s important to have evidence of the damage suffered. We discuss how a breach is defined, what might happen to you as a result, and what proof you would need to successfully embark on a compensation claim against a company that permitted a lapse in data security.
Our compensation table shows the amounts possible for psychological suffering and we explain what’s needed to prove financial loss. Combined, you could be renumerated for a data breach in which you were wholly innocent.
Firstly, it’s important to understand that data is more than just names, addresses or phone numbers. In the eyes of the law, it is regarded as our personal property and as such, we have rights about the way it is used.
A breach is defined by the ICO as the accidental or deliberate:
- Unauthorised sharing of any personal data.
Any company that wishes to collect and retain information about us must now comply with 7 core principles for correct data handling. Failure to do so can result in action from the ICO, such as penalties which could be as high as £17.5 million or 4% of the last year’s annual turnover for that company.
As you might imagine, that can be a formidable threat to some companies. They must invest in proper firewall security software and staff training to do everything they can to avoid a data breach.
ICO Core Principles
The seven core principles for proper data handling are designed to be as simple and instant for companies to understand as possible:
- Lawfulness, fairness, and transparency – to use personal data in ways that comply with the law as well as in a manner customer’s and staff expect and know about.
- Purpose limitation – that personal data is used only for the reasons collected, nothing extraneous or unrelated.
- Data minimisation – there should be limits on the amount of personal data gathered to do what is needed.
- Accuracy – the data should be precise and kept accurate
- Storage limitation – data should be kept only for as long as it is needed. After which it should be securely deleted or shredded.
- Integrity and confidentiality (security) – also, personal data needs to kept be secure.
- Accountability – perhaps most importantly, this principle focuses on taking responsibility and having the right measures in place, keeping proper records to demonstrate the ways in which you are complying with data protection and achieving the expectation of the GDPR.
With these principles in place, companies may still fall victim to outside hacking or scams and viruses. They may also suffer from staff incompetence or negligence. If you have suffered in such a way, please get in touch.
Third Parties and other data users
Three main groups are involved in the use of our data. Controllers are the companies who initially gather the data. The data may be volunteered, requested or a legal requirement. We usually consent to data sharing at this stage in order to use services, enjoy benefits or comply with the law. Rather than simply click ‘I agree’ It can be helpful to pay more attention to cookie preferences to be sure you know what you have agreed to.
Processors are either inside or outside agencies who are responsible for the maintenance of that data—its storage, transportation, amendments and general upkeep can be performed by processors. Breaches can happen here if sub-contracted companies undertake the circulation of data and fail to uphold the standards the controller desires, such as Blackbaud.
Lastly, third parties are the ‘end-users’ of our data and can receive our information for a host of marketing, sales and information purposes.
In some instances, it is not necessary to obtain our consent to data use. For example, if we have already given permission or entered into an initial contract of some kind that clearly states consent is pre-agreed.
Consent is not needed If the company is required by law to share information (such as a request from HMRC) or if it is in the public interest to have data shared. ‘Vital interests’ relate to how accessing and sharing the data might save your life, in a medical scenario for instance. Lastly, legitimate interests of the company or organisation refer to the agreed remit of data collection and its proper use.
Before we answer the question – ‘how do I report a data protection breach?’ it’s important to explain how the breach may first come to your attention. It’s a legal requirement for companies and organisations to tell you as soon as possible if they think your data may have been hacked or otherwise compromised. In addition to this, the company themselves has a legal obligation to report the breach to the ICO (within 72 hours) who may or may not investigate.
Perhaps you received a letter or an email from a company or agency alerting you to a breach? You may have heard about it from social media, news outlets or other involved parties? However it came you your attention, you have a step by step procedure that can help you report the breach and obtain compensation for any negative repercussions that arise from it. There are three basic types of breach:
- Integrity – the unauthorised or accidental alteration of data. Cases where the data is changed without consent.
- Confidentiality – the unauthorised or accidental disclosure of information. When your privacy is broken.
- Availability – loss or destruction caused accidentally or deliberately. This could be someone deleting your details without consent.
It’s important to note that these actions are deemed breaches if they fall outside of the pre-agreed terms of original use. You may become aware of a data breach in a different manner. Perhaps money starts to disappear from your account or there is a sudden increase in spam emails and cold calls.
Worse still, your name could be implicated in fraud or crimes you are totally unaware of. Identity theft is horrendously damaging both financially and emotionally for the victim. Events such as these will undoubtedly alert you very quickly to a problem.
In some instances of hacking or serious cybercrime, the company may not know themselves that their security has been breached. In cases of human error within the organisation, a prompt admission of responsibility is the only acceptable reaction.
Whilst cybercriminals are indeed trawling the internet for personal information to exploit and constantly testing the weak spot of a company’s defence, data breaches can also be the result of innocent or incompetent human error. Some examples:
- A colleague gossips and shares personal information
- Laptops are left open with data visible to others
- Mail is sent to the wrong recipient
- Emails are forwarded without the properly redacted or encrypted information
- Keying errors send data off to the wrong place
- Storage is inadequate or unfit for purpose – exposing paper documents
- Transportation is sloppy and documents get lost
- Smartphones, USB sticks and other portals of information are lost or stolen and lack encryption
These are all potential liabilities for companies. Under the principle of ‘vicarious liability,’ an employer can be held responsible for the actions of an employee.
Training and robust software defence systems are the only defence against human error. However innocent or absent-minded the error, for the data breach victim, the consequences can be devastating. GDPR laws and ICO penalties are severe in recognition of this.
Whilst ignorance is no defence, the ICO accept that perfect adherence to all data protection laws can be difficult. In practice, they tend to be more understanding of companies that have tried their best to prevent the breach or deal with it properly than those who flagrantly disregard the safety of our data.
Once it has come to your attention that you are the victim of a data breach, there is a step by step procedure to follow to report it.
- Firstly, contact the agency or organisation that breached your data with a complaint in writing. The ICO offer a template letter you can use.
- Allow a period of no longer than three months to receive a meaningful response from this organisation. They may try to deny the breach or your involvement in it. The three month period is important as after that, it can be difficult for your case to be taken seriously by the ICO.
- Without a meaningful or helpful response, ask the ICO to step in. The Commissioner will not automatically take up your case but if it’s a serious breach that has affected people badly they can apply pressure on the company in question to explain it. Their involvement lends your case weight and you can refer to their website to see how the company is being monitored or what penalties are being imposed against them.
- The ICO does not pay compensation. To start a claim for that, you need to start a private case against the organisation.
The ICO has a very clear and user-friendly website that offers a wealth of information to both companies and individuals affected by a data breach. They offer a useful self-assessment guide that can help you decide if your breach needs to be reported to the ICO and whether it poses a serious threat to the data of you or others.
A personal data breach involves unauthorised loss, alteration and exposure and acts as your starting point for reporting to the ICO. The site then goes on to ask:
- Does the data breach involve the data of living individuals?
- Is there likely to be a high risk to the freedoms or rights?
As you answer these questions the ICO can guide your actions correctly and save much time in the process. Speak to our team if there are any points in the process you are unclear about.
When reporting a data protection breach that has affected you personally, it’s important to gather evidence to support your claim for damages. Data breach claims can only be made once and it’s important not to omit any expenses you might be liable for in the future.
Fraud perpetrated in your name by online cybercriminals can result in overdraft fees and late charges that persist long into the future. Whilst banks may be sympathetic and keen to locate the real source of the online fraud also, in the meantime these costs could stack up in your name.
There is a three month period from complaining in writing to the last meaningful contact with the organisation in question. Failure to receive a meaningful response may mean you decided to take your grievance further. You can use this time to build evidence with a view to starting a private case for compensation for the data breach.
You do not have to involve the ICO at all and you do not have to use the services of a data breach solicitor. But both can make the argument for recompense stronger and lend more credibility to your compensation claim. As you wait for the outcome of the ICO’s investigation, use the time to consider starting a claim with a No Win No Fee data breach lawyer.
Companies are required by law to report data breaches within 72 hours to the ICO and they are supposed to inform you as soon as possible.
If you are planning on commencing a private case against a company that breached your data resulting in damage to your finances or emotional health, it’s better to start sooner rather than later. The gathering of evidence might take longer than anticipated and if the other party refuses to accept liability, there may be a protracted settlement.
Once you’ve decided to start a claim for data breach compensation you can use a No Win No Fee lawyer to help you. There are numerous advantages to using a solicitor in this way which we explain in greater detail below.
The most important point of action is to gather together as much evidence as you can that the data breach affected you in damaging ways. Our table below shows what sorts of awards are suggested for mental damage stemming from a breach:
|Psychiatric damage - severe||Extreme and lasting problems chronically affecting many areas of life.||£51,460 - £108,620|
|Psychiatric damage - moderately severe||Significant problems like stress and trouble working or sleeping.||£17,900 - £51,460|
|Psychiatric damage - less severe||The effect on daily activities and sleep will be taken into account.||Up to £5,500|
|PTSD - severe||Inability to function at work or in life as normal.||£56,180 - £94,470|
|PTSD - moderately severe||Recovery possible but disabilities for foreseeable future with prognosis of some recovery with professional help.||£21,730 - £56,180|
|PTSD - moderate||Largely recovered but some lingering and persisting symptoms, even with therapy.||£7,680 - £21,730|
|PTSD - less severe||Minor symptoms but mostly recovered within 2 years.||Up to £7,680|
These figures are taken from the Judicial College Guidelines which is a publication of suggested compensation amounts. In brackets of severe or moderate and with varying degrees of recovery, these awards give your lawyer a target of compensation to argue for on your behalf.
For a more accurate estimate relevant to your own case, please get in touch with our team.
Non-material damages, discussed in the section above, can take into account all the very real consequences of how a data breach could adversely affect your health and your ability to work or function as normal. Such as:
- Pain and suffering caused by the data breach
- Risk of psychiatric illness (stress, depression and anxiety)
- Impact on personal relationships
- Loss of quality of life
- Increased likelihood of future health problems
Since the decision in the Vidal-Hall v Google case, all of these repercussions could be awarded compensation in their own right. Obviously, medical evidence is needed and your No Win No Fee data breach lawyer can help arrange to obtain this. The results of this evaluation can form solid evidence in your claim.
As well as this, you can compile evidence of financial loss as a consequence of the data breach. If for example, hackers breached your bank account and were able to plunder your finances, the bills would still need to be paid. Where might this money come from?
You could have proof in the form of statements that show unusual activity in your account. These damages are referred to as material. All tangible losses might qualify, such as:
- Suddenly missing amounts from accounts
- Loss of work
- In extreme cases, the impact of identity theft and the need to relocate
It might seem extraordinary that a simple oversight at an organisation could wreak so much havoc in your life but it does happen. The reason data breach laws are so strenuously upheld is that the ICO recognise the damage data theft can cause in a person’s life. It’s not just a sudden rash of nuisance phone calls about services you didn’t request. In some cases, it can be the wholesale appropriation of a person’s life.
With this in mind, No Win No Fee or Conditional Fee Agreements (CFA’s) can offer you instant legal representation. With no upfront costs or fees to hire the lawyer and none to pay as the case moves forward, this option has helped thousands pursue claims they may otherwise have let go for lack of funds.
Furthermore, if your No Win No Fee claim is not successful, there is nothing to pay your lawyers at all. The data breach lawyer takes a small, capped percentage of the overall settlement from cases that win at the end.
In short, No Win No Fee represents a legal option that is financially risk-free, quick and professional. Your lawyer will advise you at the start of the case if it looks likely to win. They won’t waste your time if it does not.
Furthermore, they have a stake in achieving the best possible outcome as their fee derives from it. This means that you can rest assured they are giving your case their fullest attention and efforts. Without a doubt the best option.
Legal Helpline can connect you to skilled and professional No Win No Fee data breach solicitors from our panel in one phone call. When you contact our team they can chat over the circumstances of your data breach and connect you immediately.
The expertise our team has in cases like this spans three decades. The more information you can share, the stronger a case they may be able to build for you. When it comes to discussing a settlement figure, their calculations may help you obtain far much more for the data breach than you initially thought possible. Give your claim the edge and contact us now.
In summary, we hope that this article has helped explain how to report a GDPR data breach. If you feel ready to start a claim, or just want more information on how do I report a data protection breach, our team are ready right now to assist. You can:
- Call us on 0161 696 9685
- Write or email at Legal Helpline
- Use the ‘live support’ option, bottom right for instant help and advice
Thank you for reading our guide on the question, ‘how do I report a data protection breach?’ We hope that it has helped clarify your options and provided you with the resources to make an informed decision.
Below are some commonly asked questions that offer more advice but if you have a specific query that we haven’t converted, please don’t hesitate to get in touch. Our team are happy to help and available on the number above.
Who do I report a breach of data protection to?
Initially, you should report the breach to the organisation responsible. If you do not know, you can ask the ICO to step in and investigate. Both will expect you to have grounded evidence to demonstrate a data problem and not be claiming a breach based on suspicion or assumption.
How do I report a company for the GDPR breach?
Reporting a data protection breach in the UK is quite straightforward. You can approach the company in question with a complaint about how your data is being handled and you can elevate that complaint to the ICO if you are not satisfied with the response. How long to report a data breach under GDPR? Six years normally or 1 year if the case involved a violation of human rights.
Do I have to report a GDPR breach?
No. After using the self-assessment guide on the ICO website you may not have to. In answer to the question, how long do you have to report a data breach? the answer is 6 years from the date you gained knowledge of the breach or 1 year if the breach affects your human rights.
Our website offers further advice on GDPR data breach compensation claims. You can read here about what to do if the NHS breached your data. Or if you were the victim of a data protection problem at a bank. You might find this link about victim support for data breaches helpful, also.
Thanks for reading our guide that sought to answer the question, how do I report a data protection breach?
Guide by JJW
Edited by REB