By Danielle Graves. Last Updated 21st July 2023. Recent changes in the law mean that you are in a better position than ever to claim compensation from those who breach your data and cause you harm. If this happened to you, this article will explain the question – how do I report a data protection breach?
In 2018 the law changed around data protection. The introduction of the General Data Protection Regulation (GDPR) means that any organisation, company or agency that collects your data must do so for specific reasons and handle it with care. These laws are upheld by an independent organisation called the Information Commissioners Office (ICO) which has tremendous power to enforce compliance and issue fines if your data is not handled properly.
Breaches in data protection can cause all manner of problems for the people they affect. It’s so much more than just a few unwanted spam emails or text alerts you did not sign up for. A data breach can result in your entire identity being stolen and if you have been touched by issues like this, you may be wondering what you can do.
If you have questions you’d like answered right now, please feel free to contact our team. We specialise in helping people clarify their options around launching data breach compensation claims and can connect you with a data breach solicitor from our panel within minutes.
Simply start your claim by calling our team direct on 0161 696 9685 or writing/emailing us at Legal Helpline. You can also use the ‘live support’ option, the bottom right to get on-the-spot guidance about reporting a data breach.
Select A Section
- How Do I Know If My Data Privacy Was Breached?
- What Data Protection Breaches Could I Report To The Information Commissioner?
- How Do I Report A Data Breach To The Information Commissioner?
- How To Report A GDPR Breach To A Data Controller Or Processor
- What Happens When I Report A Data Protection Breach?
- How Long Do I Have To Report A Data Breach?
- Calculate Compensation After Reporting A Data Protection Breach
- Material And Non-Material Damages You Could Claim Compensation For
- Claiming For A Data Breach With A No Win No Fee Solicitor
- Where To Learn More
Before we answer the question – ‘how do I report a data protection breach?’ it’s important to explain how the breach may first come to your attention. It’s a legal requirement for companies and organisations to tell you as soon as possible if they think your data may have been hacked or otherwise compromised. In addition to this, the company itself has a legal obligation to report the breach to the ICO (within 72 hours) and may or may not investigate.
Perhaps you received a letter or an email from a company or agency alerting you to a breach. You may have heard about it from social media, news outlets or other involved parties. However it came you your attention, you have a step-by-step procedure that can help you report the breach and obtain compensation for any negative repercussions that arise from it. There are three basic types of breach:
- Integrity – the unauthorised or accidental alteration of data. Cases where the data is changed without consent.
- Confidentiality – the unauthorised or accidental disclosure of information. When your privacy is broken.
- Availability – loss or destruction caused accidentally or deliberately. This could be someone deleting your details without consent.
It’s important to note that these actions are deemed breaches if they fall outside of the pre-agreed terms of original use. You may become aware of a data breach in a different manner. Perhaps money starts to disappear from your account or there is a sudden increase in spam emails and cold calls.
Worse still, your name could be implicated in fraud or crimes you are totally unaware of. Identity theft is horrendously damaging both financially and emotionally for the victim. Events such as these will undoubtedly alert you very quickly to a problem.
In some instances of hacking or serious cybercrime, the company may not know themselves that their security has been breached. In cases of human error within the organisation, a prompt admission of responsibility is the only acceptable reaction.
Whilst cybercriminals are indeed trawling the internet for personal information to exploit and constantly testing the weak spot of a company’s defence, data breaches can also be the result of innocent or incompetent human error. Some examples:
- A colleague gossips and shares personal information
- Laptops are left open with data visible to others
- Mail is sent to the wrong recipient
- Emails are forwarded without the properly redacted or encrypted information
- Keying errors send data off to the wrong place
- Storage is inadequate or unfit for purpose – exposing paper documents
- Transportation is sloppy and documents get lost
- Smartphones, USB sticks and other portals of information are lost or stolen and lack encryption
These are all potential liabilities for companies. Under the principle of ‘vicarious liability,’ an employer can be held responsible for the actions of an employee.
Training and robust software defence systems are the only defence against human error. However innocent or absent-minded the error, for the data breach victim, the consequences can be devastating. GDPR laws and ICO penalties are severe in recognition of this.
Whilst ignorance is no defence, the ICO accept that perfect adherence to all data protection laws can be difficult. In practice, they tend to be more understanding of companies that have tried their best to prevent the breach or deal with it properly than those who flagrantly disregard the safety of our data.
Once it has come to your attention that you are the victim of a data breach, there is a step by step procedure to follow to report it.
- Firstly, contact the agency or organisation that breached your data with a complaint in writing. The ICO offer a template letter you can use.
- Allow a period of no longer than three months to receive a meaningful response from this organisation. They may try to deny the breach or your involvement in it. The three month period is important as after that, it can be difficult for your case to be taken seriously by the ICO.
- Without a meaningful or helpful response, ask the ICO to step in. The Commissioner will not automatically take up your case but if it’s a serious breach that has affected people badly they can apply pressure on the company in question to explain it. Their involvement lends your case weight and you can refer to their website to see how the company is being monitored or what penalties are being imposed against them.
- The ICO does not pay compensation. To start a claim for that, you need to start a private case against the organisation.
People often ask us how to report a GDPR breach to the person or body responsible for breaching their data. Although those responsible are obligated to inform you of a data breach, there are a few reasons why they may not. For instance, they may simply not be aware that a breach has occurred.
When you report a breach of data protection, you may be tempted to do so over the phone. You may feel that this will get you quicker results. However, there is a chance there will be no record of the call. This could potentially lead to the data controller in question denying ever being aware of the data breach or being made aware of it when it came to claiming.
It is better to notify the data controller or processor of a data breach via email. This way, you can prove that you sent the email if you should need to during your claim. Whilst you can then follow up this email with a phone call if you wish, you will then have proof of notification.
If you need more information, get in touch with our advisors today.
There is a three month period from complaining in writing to the last meaningful contact with the organisation in question. Failure to receive a meaningful response may mean you decided to take your grievance further. You can use this time to build evidence with a view to starting a private case for compensation for the data breach.
You do not have to involve the ICO at all and you do not have to use the services of a data breach solicitor. But both can make the argument for recompense stronger and lend more credibility to your compensation claim. As you wait for the outcome of the ICO’s investigation, use the time to consider starting a claim with a No Win No Fee data breach lawyer.
If your personal data has been involved in a UK GDPR breach, you may be wondering, ‘How long do you have to report a data breach?’
If you discover that your personal data has been compromised, you should report the breach to the organisation responsible as soon as possible. You could also ask them to clarify exactly what personal information was involved in the breach.
Additionally, you could report the data breach to the ICO. They could then choose to investigate the breach, and their findings could be used as evidence in your data breach claim. However, you must do this within 3 months of your last meaningful communication with the organisation responsible regarding the breach.
Organisations also have time limits they must adhere to when reporting a data breach. Firstly, they must report the breach to the ICO within 72 hours of discovering it. Furthermore, they must inform you without undue delay if your personal data has been involved in a breach, if they believe your rights and freedom may be at risk.
If you have any questions about what to do following a data protection breach, please get in touch with our advisors using the details at the top of the page.
Once you’ve decided to start a claim for data breach compensation you can use a No Win No Fee lawyer to help you. There are numerous advantages to using a solicitor in this way which we explain in greater detail below.
The most important point of action is to gather together as much evidence as you can that the data breach affected you in damaging ways. Our table below shows what sorts of awards are suggested for mental damage stemming from a breach:
|Psychiatric Damage - Severe||Severe problems that affect many areas of daily and social life.||£54,830 to £115,730|
|Psychiatric Damage - Moderately Severe||Significant problems with daily life. But, there is a more optimistic prognosis.||£19,070 to £54,830|
|Psychiatric Damage - Moderate||Marked improvement shave been made, despite having struggles with various problems.||£5,860 to £19,070|
|Psychiatric Damage - Less Severe||The effect on daily activities and sleep will be taken into account.||£1,540 to £5,860|
|PTSD - Severe||Inability to function the same as pre-trauma due to permanent effects.||£59,860 to £100,670|
|PTSD - Moderately Severe||Recovery is possible with help from a professional, but the person will still likely suffer for the foreseeable future.||£23,150 to £59,860|
|PTSD - Moderate||Largely recovered with any persisting symptoms not being majorly disabling.||£8,180 to £23,150|
|PTSD - Less Severe||A full recovery is made within 2 years, with only minor problems persisting after this.||£3,950 to £8,180|
These figures are taken from the Judicial College Guidelines which is a publication of suggested compensation amounts. In brackets of severe or moderate and with varying degrees of recovery, these awards give your lawyer a target of compensation to argue for on your behalf.
For a more accurate estimate relevant to your own case, please get in touch with our team.
Non-material damages, discussed in the section above, can take into account all the very real consequences of how a data breach could adversely affect your health and your ability to work or function as normal. Such as:
- Pain and suffering caused by the data breach
- Risk of psychiatric illness (stress, depression and anxiety)
- Impact on personal relationships
- Loss of quality of life
- Increased likelihood of future health problems
Since the decision in the Vidal-Hall v Google case, all of these repercussions could be awarded compensation in their own right. Obviously, medical evidence is needed and your No Win No Fee data breach lawyer can help arrange to obtain this. The results of this evaluation can form solid evidence in your claim.
As well as this, you can compile evidence of financial loss as a consequence of the data breach. If for example, hackers breached your bank account and were able to plunder your finances, the bills would still need to be paid. Where might this money come from?
You could have proof in the form of statements that show unusual activity in your account. These damages are referred to as material. All tangible losses might qualify, such as:
- Suddenly missing amounts from accounts
- Loss of work
- In extreme cases, the impact of identity theft and the need to relocate
It might seem extraordinary that a simple oversight at an organisation could wreak so much havoc in your life but it does happen. The reason data breach laws are so strenuously upheld is that the ICO recognise the damage data theft can cause in a person’s life. It’s not just a sudden rash of nuisance phone calls about services you didn’t request. In some cases, it can be the wholesale appropriation of a person’s life.
If you are eligible to make a personal data breach claim, you may wish to have a solicitor to support your claim. One of the data breach solicitors from our panel could work on your case on a No Win No Fee basis under a Conditional Fee Agreement.
When your solicitor works with you under this type of agreement, they won’t ask for you to pay any upfront or ongoing fees for their services. You also won’t be asked for a payment towards their work on your personal data breach claim if you’re not awarded compensation following an unsuccessful case.
However, should your claim prove successful, your solicitor will deduct a success fee from your award. The amount that can be taken as this fee is a legally capped percentage.
If you have any questions or to find out if you may be eligible for compensation, speak to an advisor from our team. They’re available with free advice 24/7. In addition, if it seems like you are eligible to seek data breach compensation, they could connect you to one of the solicitors from our panel.
To talk to an advisor:
Our website offers further advice on GDPR data breach compensation claims. You can read here about what to do if the NHS breached your data. Or if you were the victim of a data protection problem at a bank. You might find this link about victim support for data breaches helpful, also.
Other Data Breach Claim Guides
- Claiming For Data Breaches Caused By Human Error
- If you’ve been impacted by a data protection breach at work, you can head here to learn all about your legal rights. You can also find potential compensation payouts and how we can help you take action.
- My HIV Data Was Breached – Can I Claim?
- Clinic Data Breach Claims
- My Medical Information Has Been Shared – Could I Claim?
- Examples Of Accidental Workplace Data Breaches
- Anxiety Due To A Data Breach – Who Can Claim?
- Dismissal Records Data Breach – Can I Claim?
- Medication Data Breach – Who Could Make A Claim?
- A Solicitor Sent Your Medical Info To The Wrong Person – Can You Claim?
- Victim Of Abuse Data Breach – Who Can Claim?
Thanks for reading our guide that sought to answer the question, how do I report a data protection breach?