How Long Do You Have To Report A Data Breach And Start A Claim?

By Cat Mulligan. Last Updated 8th November 2023. This guide will look at how long you have to report a data breach and how quickly the report must be made.

We also look at how long a company has to report a data breach. Moreover, we explain how to claim compensation for a personal data breach.

It’s normal for organisations to collect personal data from employees, clients and other stakeholders. Organisations that decide why and how personal information is collected are known as data controllers.

The organisation may be a private company, public body, or other. However, they must abide by data security legislation. There are two main pieces of legislation in the UK that look to protect personal data. These are the UK General Data Protection Regulation (UK  GDPR) and Data Protection Act 2018 which state that data controllers must secure and protect the personal data they collect from data subjects. So, what happens if a breach of personal data takes place? Could the data subject be eligible to make a data breach claim for compensation?

Public Interest Lawyers could help get your breach of personal data claim started. The solicitors on our panel all offer a No Win No Fee service. To begin your claim, please call our helpline today 0800 408 7825. Alternatively, please send us a message via our contact form, and we will get back to you right away.

How long do you have to report a data breach guide

How long do you have to report a data breach guide?

Select A Section

How Long Do You Have To Report A Data Breach?

If you have reason to believe that your personal data was included in a breach, you might want to report the data protection breach. However, time limits apply for how long you have to report a data breach.

Firstly, you should notify the organisation that you believe breached your personal data. They must respond within one calendar month of receiving any required documentation from you.

If you are unsatisfied with their response or the organisation fails to respond, you could then report your concerns to the ICO. However, it is expected that you already made the report of the data protection breach to the organisation, followed up with them, or asked for clarification if required. Only after these steps can you report the data protection breach involving your personal data to the ICO.

If you are making a complaint to the ICO, you should do so within three months of your last meaningful contact with the organisation at fault.

How Long Do I Have To Start A Data Breach Claim?

If you are planning to make a data protection claim, you should report the breach and start the claim either:

  • Within 1 year, if you are claiming against a public body
  • Within 6 years for a non-public body.

This is in line with the information from the Limitation Act 1980. Please reach out to one of our team for information on how to make a report.

What Is A Personal Data Breach?

The UK GDPR defines a personal data breach as a security incident leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, processed personal data. This same legislation defines personal data as any information relating to an identified or identifiable person (known as a data subject). Processing is anything that is done to personal data, such as its collection, recording or organisation. 

Additionally, this legislation sets the eligibility to make a data breach claim. It is set under Article 82 as:

  • The breach must have been caused by the data controller’s or processor’s failure to comply with data protection legislation. It doesn’t matter if the incident occurred accidentally through human error or through deliberate actions, such as hacking. A data controller is typically an organisation that determines why and how your personal data will be processed. They may instruct a processor to process data on their behalf. 
  • Your processed personal data must have been compromised in this breach. The controller will need to adhere to specific data breach reporting time criteria when notifying you of the incident. We look at this later on. 
  • As a result of this breach, you must have suffered either damage to your mental health or suffered a financial loss. 

If you would like information about when to report a data protection breach or when you can claim, get in touch with an advisor from our team. 

Examples Of When You Could Report A Data Breach

Personal data is information that can identify you, either directly or in combination with other information. Some examples of personal data include your name, home address, phone number and personal email addresses.

Some examples of how a personal data breach could occur could include:

  • A failure to use the BCC (blind carbon copy) when sending a mass email. This feature conceals email addresses from other recipients. Failure to do so could reveal your personal email to others and could result in you receiving unwarranted emails from people you don’t know.
  • An organisation could fail to update their cybersecurity measures, which could lead to your personal data being accessed during a cyber-attack.
  • Paperwork containing your personal data could be kept in an insecure location, resulting in it being lost or stolen.
  • Your personal data could be sent to the wrong person, such as sending a bill to the wrong email address.

If your personal data has been compromised, the organisation responsible should inform you of the personal data breach without undue delay if they believe your rights and freedoms could be at risk. Alternatively, you could report a data breach to the Information Commissioner’s Office (ICO) if you were to discover the breach yourself. In the next section, we will look at how quickly should a data breach be reported to the ICO.

However, to be able to make a claim for a personal data breach, you must prove that the organisation’s failings caused the breach, and as a result, you suffered financial loss or mental harm.

Call our advisors to see when you could make a claim for a personal data breach and the reporting time frame you have to report a data breach.

How Do You Report A Breach Of Data Protection?

So how do you report a data protection breach?

If an organisation breaches your data in the UK, they should report it to the ICO. However, not all data breaches need to be reported to the ICO only ones that affect the rights and freedoms of a data subject.

How quickly should a data breach be reported?

A data breach should be reported quickly by businesses and organisations to the ICO, usually within 72 hours of discovery.

Moreover, the organisation should send you a GDPR data breach notification without undue delay.

However, if you have discovered a data breach yourself, you could according to the ICO raise your concerns with the organisation. Hopefully, the data protection officer will resolve the matter internally. However, if you are not satisfied with their efforts, you can report the data breach to the ICO. The Information Commissioner’s Office is a public body that enforces the UK data protection laws. The ICO can investigate and fine organisations that do not adhere to data protection legislation.

However, the ICO cannot award data breach victims compensation. So if you want to find out if you can make a data breach claim for compensation call our expert advisors. They will listen to your case and advise if you have a valid claim. They can even offer to connect you with a data breach solicitor who offers a No Win No Fee service

How long do you have to report a data breach to the ICO? If you want to report your data breach to the ICO for them to investigate leave it no longer than 3 months since your last communication with the organisation you hold responsible for the data breach.

When Should A Data Breach Be Reported?

As explained, organisations do not have to report every breach or data security incident that occurs to the ICO. They have a requirement, however, to assess every breach and examine what type of information could be affected and what impact this could in turn have on a data subject.

The types of breaches that should be reported to the ICO are breaches that could harm a data subject’s rights and freedoms. Some examples of these as per the ICO are breaches that could result in:

  • Discrimination, for example, if they revealed special category data
  • Harm to a person’s reputation
  • Financial losses
  • Harm to victims, or witnesses, of a crime
  • Loss of confidential information that could affect a business or person

If you were affected by such a breach and not informed by the organisation, you can include this in the report you make to the ICO.

While they cannot act as your representative, the ICO can create a report of an organisation’s actions in breaches they investigate and prompt an organisation if they feel they have not responded to a request in an adequate manner. All of this can be used as evidence in your claim.

If you’re concerned you’ve taken too long to report a data breach to the ICO, please speak to one of our advisers. They can give you advice on other forms of action you can take against an organisation for a data breach, and information on other relevant organisations you might be able to contact to report your breach.

Report a Data Breach – Gathering Evidence

In order to make a successful claim, you will need to collect evidence that shows how an organisation was liable for a data breach, and how the data breach has affected you.

As we said, an ICO report of your data breach can be helpful, but if it is not provided then any communication you have with the organisation in which they admit or show liability could help you. If your personal data has been involved in a breach, the responsible organisation must inform you without undue delay.

Other evidence you could collect includes:

  • Payslips, receipts or bank statements to show any financial loss
  • Medical reports, or personal testimony of the breach’s effects on your mental health

If you want to learn more about how to start a claim for a data protection breach, or how reporting a breach to an organisation can help your claim, then please reach out to a member of our legal advice team.

Data Breach Compensation Claim Calculator

Now we’ve clarified the time frame for reporting a breach of security, this section will explain what you could receive as compensation. There are two types of compensation you may be able to receive as part of a data breach claim:

  • Material damage – This relates to any losses you’ve suffered financially because of the data breach. For instance, your financial details could be stolen, resulting in you suffering from monetary losses.
  • Non-material damage – This relates to any psychological injuries that you’ve suffered because of the breach. As such, this can include PTSD, anxiety and depression.

Due to the ruling of Google Inc vs Vidal-Hall and Others, you no longer need to suffer material damages from a data breach to claim for non-material damages. Furthermore, because of the ruling regarding Gulati and Others vs MGN Limited, when claiming for psychological damages from a data breach, they are now assessed in the same way as they are in personal injury claims.

The Judicial College Guidelines can give you a greater understanding of what you could receive for non-material damages. Please see the table below. The figures have been taken from the latest guidelines, published in 2022.

Nature of The Injury Level Damages Comments
Psychiatric Injuries Severe £54,830 to £115,730 The effects may be permanent and there will be little chance of the person making a recovery. As the most severe category, the effects will extend through all parts of this person’s life.
Moderately Severe £19,070 to £54,830 Difficulties could extend through all parts of this person’s daily life such as work and relationships. There is a greater scope for recovery than the person above.
Moderate £5,860 to £19,070 By the time of a trial, there will have been a marked improvement and there will also be a good prognosis.
Post Traumatic Stress Disorder (PTSD) Severe £59,860 to £100,670 The effects of post traumatic stress disorder will be permanent. These could extend through all parts of this person’s life from relationships to education and work.
Moderately Severe £23,150 to £59,860 Whilst this victim could be affected in a similar way and some serious problems will persist, there may be a more positive outlook for recovery.
Moderate £8,180 to £23,150 The victim should have made or will make a good degree of recovery. If there are any lasting effects these will not be considered ‘grossly disabling’.

Examples Of Material Damage In Data Breach Claims

Compensation could also be awarded for material damage in personal data breach claims. This refers to the financial harm you experienced due to the personal data breach.

For example, a bank data breach could result in your banking information being compromised, and money could be withdrawn from your account.

In order to claim for your financial losses, you will need to submit evidence of it, such as a copy of your bank statements.

If you have any questions about reporting a data breach, or if you need to report a data breach to make a claim, you can contact our advisors.

How Can Public Interest Lawyers Help Me Make A No Win No Fee Claim?

Now that you know more about how to report a data breach and why reporting a data protection breach can be important, you might be wondering how Public Interest Lawyers could help you. Our team of advisors are available 24/7 to offer helpful advice on data breach compensation and can help you identify whether or not you have a valid claim. If you do, then they may pass you on to a solicitor from our panel.

There are many benefits to working with a solicitor on your data breach claim. For example, they could help you gather evidence to support your claim and could also help you negotiate a settlement.

Our panel of No Win No Fee solicitors are experts in data breach law and could help you through a Conditional Fee Agreement (CFA). Under this kind of agreement, they won’t take a fee at the start of your claim or as it progresses for their services. Similarly, if your claim doesn’t succeed, they won’t take a fee for their work.

If your claim succeeds, a small percentage of your compensation will be directed to your solicitor as a success fee. However, this percentage is capped by legislation, which helps to ensure that the majority of what you receive stays with you.

Contact Our Team

If you’d like to learn more about how our panel of data breach solicitors could help you, contact our team of helpful advisors today. To start your free consultation:

Reporting And Recording UK GDPR Breaches

Thank you for reading our guide to how long do you have to report a data breach.