In this guide, we’ll help you understand whether you’re eligible to claim compensation for a data breach. It’s important to note that not every incident of a data breach means a claim could be made. However, our guide will explain what your claim must demonstrate in order to be valid.
A breach of your personal data could result in you sustaining financial damage and psychological harm. For that reason, you could seek to be reimbursed for the damages you’ve faced after having your personal data breached.
There are several pieces of legislation in place to ensure organisations are taking reasonable steps to protect your personal data. For instance the UK General Data Protection Regulations (GDPR) and the Data Protection Act 2018.
These sit alongside each other as a regime for regulating the use of personal data. We will explore the role of these pieces of legislation further on in our guide.
Our guide will also provide information on what a personal data breach is and how it could happen, such as through human error or cyber security breaches.
Most importantly, this guide will look at the process of making a claim for any damages you’ve incurred as a result.
If you have any additional questions whilst or after reading our guide, get in touch on the following details:
- Telephone: 0800 408 7825
- Contact form: Fill out the form with your details and an advisor will get back to you.
- Live chat: Use the live support option below for instant free legal advice.
Select A Section
- How To Claim Compensation For A Data Breach
- Who Could Store Your Personal Data?
- How Do I Know What Information A Body Or Company Holds?
- Who Could Claim Compensation For A Data Breach?
- How Much Compensation Can You Claim For A Data Breach?
- Talk To Us About How You Can Claim Compensation For A Data Breach
In 2018, the General Data Protection Regulation (GDPR) was created by the EU and enacted into UK law by the Data Protection Act 2018 (DPA). These acted as a regime for ensuring organisations involved with processing people’s personal data kept it secure.
However, since the UK left the EU, the UK created the UK GDPR and it now sits alongside an updated version of the DPA.
As a data subject, your personal data may be used by:
- Data controllers: These are in charge of controlling the purposes and means of processing personal data.
- Data processors: These act on behalf of the data controller and act on instructions set out by them.
Both of these groups must take the necessary steps to ensure they are complying with the legislation set out to protect people’s personal data.
However, if a data controller fails to take the necessary steps to protect your personal data, you may be eligible to claim compensation for a data breach.
What Is A Data Breach?
The Information Commissioner’s Office (ICO), an independent government agency, defines a personal data breach as the act of unlawfully or accidentally losing, altering or destroying someone’s personal data. Additionally, a breach might include unauthorised disclosure or access to someone’s personal data.
Examples of this might include:
- A human error involving someone sending an email containing sensitive data to the wrong recipient
- Leaving a computer screen showing people’s bank details open for unauthorised parties to access
- Failing to keep cyber security up to date to prevent cyber attacks and hacks
- Failing to adequately train staff on data breach policies which leads them to make a series of errors such as disposing of sensitive or personal data incorrectly
- A misdirected fax containing someone’s bank details
If you have experienced a similar incident involving a breach of your personal data resulting in financial or psychological damage, you could claim compensation for a data breach.
Organisations have a duty to report certain personal data breaches to the ICO within 72 hours of becoming aware of the breach. In addition to this, if the data breach looks likely to affect the data subject’s rights in an adverse way, the data subject must be informed without reasonable delay.
We share our personal data in many ways and many organisations or third parties may process it. For example:
- Local authorities and housing associations
- Government agencies
- Private companies
- A pharmacy or opticians
- Banks and financial service
- Social media platforms
All organisations must have a valid lawful basis in order to process your personal data. There are six lawful bases in total:
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
However, the basis on which an organisation processes data will depend on its purpose for doing so. For instance, if an organisation has a legal obligation to process your data, they do not need to gain your consent.
For more information on whether you’re eligible to claim compensation for a data breach, call our team.
What Data Could Be Held And Lost?
Organisations retain a wide range of personal information about us. In some cases, the data could be used to directly identify us.
Whereas other forms of data, when used alongside other data, could be used to indirectly identify us. This might include:
- Direct data: Your name, postal address or email address.
- Indirect data: Your car registration number, IP address or bank details.
If you have evidence that your personal data has been breached, get in touch with our team. They can help you understand if you could claim compensation for a data breach.
As a data subject, you could ask organisations if they are using or storing your data. Furthermore, you can ask for copies of information they hold about you, either in writing or verbally. The process of doing so is called making a Subject Access Request (SAR).
A SAR can allow you to understand what personal information is held, how an organisation is using it, who it’s being shared with and where they acquired your data.
If possible, you should aim to send your request directly to the person who deals with SARs. This might be a data protection officer.
The organisation must usually respond to your SAR within a month. However, in some circumstances, they may require more time to respond.
Furthermore, in other circumstances, an organisation can refuse to provide you with all or any of the information you asked for if it’s considered excessive.
General Requests About A Data Breach
An organisation has to inform you without undue delay if your personal data has been breached and has had an impact on your freedom and rights,
However, if you are concerned about your personal data, you could contact the organisation directly. If the organisation hasn’t responded in a meaningful way, you could raise your concerns with the Information Commissioner’s Office (ICO).
However, you must not wait longer than 3 months to report your concern to the ICO. If you wait longer than 3 months, the ICO may find it more difficult to investigate your complaint.
Please note, the ICO won’t be involved when you claim compensation for a data breach. However, you could use findings from any investigation they do conduct as evidence to support your claim.
In order to put forward a valid claim following a data breach, you must be able to demonstrate that your case meets certain criteria.
For instance, you must prove that a breach occurred as a result of a data controller failing to take reasonable steps to protect your personal data causing you to experience financial damage and/or psychological harm.
If your claim meets the criteria, you may be eligible to seek compensation. You can do this independently or with the help of a data breach solicitor.
We understand you may have concerns about hiring a solicitor, such as the upfront costs often required for a solicitor to begin working on your case.
However, there is another option. For instance, you may wish to hire a No Win No Fee solicitor. In doing so, you can avoid paying an upfront fee.
For more information on how you can claim compensation for a data breach with the help of a solicitor, call our team.
Each data breach claim may comprise the following:
- Material damages: These provide compensation for any financial damage you’ve experienced.
- Non-material damages: These provide compensation for any psychological harm you’ve sustained.
Evidence in the form of bank statements. credit card statements or other financial records will be required to support your claim for material damages.
A case called Vidal-Hall v Google 2015 made it possible to claim compensation for psychological harm without having sustained any damages to your finances. Before this case, you could only seek compensation for psychological harm if a data breach had affected you financially.
Claims for non-material damages can be valued using the Judicial College Guidelines (JCG). This is a document that provides bracket compensation figures for different injuries.
We have created a table of different psychological injuries using the figures and descriptions from the JCG. However, you should only use these figures as a guide because your actual settlement may vary.
|Type of Injury||Severity||Judicial College Guidelines Figures||Additional Notes|
|General Psychiatric Damages||(A) Severe||£51,460 to £108,620||Various factors will be considered when deciding the award such as the extent to which the person's ability to cope with life, work and education has been affected.|
|General psychiatric damages||(B) Moderately Severe||£17,900 to £51,460||The person will have a more encouraging prognosis than a severe case, but they may still experience ongoing problems.|
|General psychiatric damages||(C) Moderate||£5,500 to £17,900||The person will have a good future prognosis and improved symptoms.|
|General psychiatric damages||(D) Less Severe||Up to £5,500||The award given will consider how long a person has been affected and how badly their day to day activities and sleep have been impacted.|
|PTSD||(C) Moderate||£7,680 to £21,730||For the most part, the person will have recovered but may experience some ongoing symptoms that aren't grossly disabling.|
|PTSD||(D) Less Severe||Up to £7,680||A mostly full recovery within a 2 year period with only minor issues persisting.|
For more information on making a claim for compensation after a data breach, get in touch with our team. They can offer a free valuation and help you understand how compensation is calculated.
A data breach solicitor could help you understand how to seek compensation for a data breach today. The experienced solicitors from our panel can offer No Win No Fee services such as a Conditional Fee Agreement (CFA).
Under a CFA, if the case succeeds, a legally capped percentage will be deducted from your settlement as a success fee. Should the claim fail, you won’t pay the success fee.
Furthermore, there are no ongoing costs while your claim proceeds and no upfront cost to pay your solicitor.
For more information on how you can work with a solicitor from our panel, get in touch by:
- Contacting our team on 0800 408 7825
- Filling out the contact form online
- Using the live support option below for instant free legal advice
Data Protection Breach Resources
Please find additional resources and guides about claims following a data breach below.
- Learn more about human error data breach claims in our guide.
- For more information on making a claim following lost or stolen devices, see our guide.
- Visit our guide for further data breach claim examples.
- For more information on your rights, visit the ICO website.
- Find out about action the ICO has taken following personal data breaches.
- Visit the government website for data breach statistics.
If you require any additional information on how to claim compensation for a data breach, please get in touch with our team on the number above.