How Long Do You Have To Report A Data Breach And Start A Claim?

By Cat Mulligan. Last Updated 22nd April 2024. This guide will look at how long you have to report a data breach and how quickly the report must be made.

We also look at how long a company has to report a data breach. Moreover, we explain how to claim compensation for a personal data breach.

It’s normal for organisations to collect personal data from employees, clients and other stakeholders. Organisations that decide why and how personal information is collected are known as data controllers.

The organisation may be a private company, public body, or other. However, they must abide by data security legislation. There are two main pieces of legislation in the UK that look to protect personal data.

These are the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 which state that data controllers must secure and protect the personal data they collect from data subjects. So, what happens if a breach of personal data takes place? Could the data subject be eligible to make a data breach claim for compensation?

Public Interest Lawyers could help get your breach of personal data claim started. The solicitors on our panel all offer a No Win No Fee service. To begin your claim, please call our helpline today 0800 408 7825. Alternatively, please send us a message via our contact form, and we will get back to you right away.

A magnifying glass focused on digital words reading data breach

Select A Section

How Long Do You Have To Report A Data Breach?

If you have reason to believe that your personal data was included in a breach, you might want to report the data protection breach. However, time limits apply for how long you have to report a data breach.

Firstly, you should notify the organisation that you believe breached your personal data. They must respond within one calendar month of receiving any required documentation from you.

If you are unsatisfied with their response or the organisation fails to respond, you could then report your concerns to the ICO. However, it is expected that you already made the report of the data protection breach to the organisation, followed up with them, or asked for clarification if required. Only after these steps can you report the data protection breach involving your personal data to the ICO.

If you are making a complaint to the ICO, you should do so within three months of your last meaningful contact with the organisation at fault.

How Long Do I Have To Start A Data Breach Claim?

If you are planning to make a data protection claim, you should report the breach and start the claim either:

  • Within 1 year, if you are claiming against a public body
  • Within 6 years for a non-public body.

This is in line with the information from the Limitation Act 1980. Please reach out to one of our team for information on how to make a report.

What Is A Personal Data Breach?

The UK GDPR defines a personal data breach as a security incident leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, processed personal data. This same legislation defines personal data as any information relating to an identified or identifiable person (known as a data subject). Processing is anything that is done to personal data, such as its collection, recording or organisation. 

Additionally, this legislation sets the eligibility to make a data breach claim. It is set under Article 82 as:

  • The breach must have been caused by the data controller’s or processor’s failure to comply with data protection legislation. It doesn’t matter if the incident occurred accidentally through human error or through deliberate actions, such as hacking. A data controller is typically an organisation that determines why and how your personal data will be processed. They may instruct a processor to process data on their behalf. 
  • Your processed personal data must have been compromised in this breach. The controller will need to adhere to specific data breach reporting time criteria when notifying you of the incident. We look at this later on. 
  • As a result of this breach, you must have suffered either damage to your mental health or suffered a financial loss. 

If you would like information about when to report a data protection breach or when you can claim, get in touch with an advisor from our team. 

A man in an office sits on the phone as the words data breach appear on his computer screen

Examples Of When You Could Report A Data Breach

Personal data is information that can identify you, either directly or in combination with other information. Some examples of personal data include your name, home address, phone number and personal email addresses.

Some examples of how a personal data breach could occur could include:

  • A failure to use the BCC (blind carbon copy) when sending a mass email. This feature conceals email addresses from other recipients. Failure to do so could reveal your personal email to others and could result in you receiving unwarranted emails from people you don’t know.
  • An organisation could fail to update their cybersecurity measures, which could lead to your personal data being accessed during a cyber-attack.
  • Paperwork containing your personal data could be kept in an insecure location, resulting in it being lost or stolen.
  • Your personal data could be sent to the wrong person, such as sending a bill to the wrong email address.

If your personal data has been compromised, the organisation responsible should inform you of the personal data breach without undue delay if they believe your rights and freedoms could be at risk. Alternatively, you could report a data breach to the Information Commissioner’s Office (ICO) if you were to discover the breach yourself. In the next section, we will look at how quickly should a data breach be reported to the ICO.

However, to be able to make a claim for a personal data breach, you must prove that the organisation’s failings caused the breach, and as a result, you suffered financial loss or mental harm.

Call our advisors to see when you could make a claim for a personal data breach and the reporting time frame you have to report a data breach.

How Do You Report A Breach Of Data Protection?

This section will discuss how to report a UK GDPR breach in the UK. If you’ve been notified of a UK GDPR violation in the UK, you could report this to the Information Commissioner’s Office (ICO). The ICO is an independent body that regulates data privacy and ensures organisations are following data protection legislation.

The ICO may investigate a UK GDPR violation and impose penalties to any faulting organisation. If a UK GDPR data breach has occurred, an organisation should report to the ICO without undue delay and within 72 hours.

Should you have concerns about how your data has been breached, you should write to the responsible organisation. If you are not satisfied with the response, you may report a breach directly to the ICO but should do so within three months of the last time you had meaningful contact with the faulting organisation.

Speak to our advisors at any time, and they may connect you with a data protection solicitor from our panel.

When Should A Data Breach Be Reported?

As explained, organisations do not have to report every breach or data security incident that occurs to the ICO. They have a requirement, however, to assess every breach and examine what type of information could be affected and what impact this could in turn have on a data subject.

The types of breaches that should be reported to the ICO are breaches that could harm a data subject’s rights and freedoms. Some examples of these as per the ICO are breaches that could result in:

  • Discrimination, for example, if they revealed special category data
  • Harm to a person’s reputation
  • Financial losses
  • Harm to victims, or witnesses, of a crime
  • Loss of confidential information that could affect a business or person

If you were affected by such a breach and not informed by the organisation, you can include this in the report you make to the ICO.

While they cannot act as your representative, the ICO can create a report of an organisation’s actions in breaches they investigate and prompt an organisation if they feel they have not responded to a request in an adequate manner. All of this can be used as evidence in your claim.

If you’re concerned you’ve taken too long to report a data breach to the ICO, please speak to one of our advisers. They can give you advice on other forms of action you can take against an organisation for a data breach, and information on other relevant organisations you might be able to contact to report your breach.

Two wooden blocks printed with the words data breach sitting on a table

Gathering Evidence To Support A Data Breach Claim

In order to make a successful claim, you will need to collect evidence that shows how an organisation was liable for a data breach, and how the data breach has affected you.

As we said, an ICO report of your data breach can be helpful, but if it is not provided then any communication you have with the organisation in which they admit or show liability could help you. If your personal data has been involved in a breach, the responsible organisation must inform you without undue delay.

Other evidence you could collect includes:

  • Payslips, receipts or bank statements to show any financial loss
  • Medical reports, or personal testimony of the breach’s effects on your mental health

If you want to learn more about how to start a claim for a data protection breach, or how reporting a breach to an organisation can help your claim, then please reach out to a member of our legal advice team.

Data Breach Compensation Claim Calculator

Now we’ve clarified the time frame for reporting a breach of security, this section will explain what you could receive as compensation. There are two types of compensation you may be able to receive as part of a data breach claim:

  • Material damage compensation – This relates to any losses you’ve suffered financially because of the data breach. For instance, your financial details could be stolen, resulting in you suffering from monetary losses.
  • Non-material damage compensation – This relates to any psychological injuries that you’ve suffered because of the breach. As such, this can include PTSD, anxiety and depression.

The Judicial College Guidelines can give you a greater understanding of what you could receive for non-material damages. Please see the table below, but note that the first entry has not been taken from the JCG.

Nature of The InjuryLevelDamages
Multiple Instances Of Mental Harm And Special DamagesSevereUp to £250,000+
Psychiatric InjuriesSevere£66,920 to £141,240
Moderately Severe£23,270 to £66,920
Moderate£7,150 to £23,270
Less Severe£1,880 to £7,150
Post Traumatic Stress Disorder (PTSD)Severe£73,050 to £122,850
Moderately Severe£28,250 to £73,050
Moderate£9,980 to £28,250
Less Severe£4,820 to £9,980

Examples Of Material Damage In Data Breach Claims

Compensation could also be awarded for material damage in personal data breach claims. This refers to the financial harm you experienced due to the personal data breach.

For example, a bank data breach could result in your banking information being compromised, and money could be withdrawn from your account. Or, you may lose out on earnings after taking time off work to recover from your psychological injuries.

In order to claim for your financial losses, you will need to submit evidence of it, such as a copy of your bank statements.

If you have any questions about reporting a data breach, or if you need to report a data breach to make a claim, you can contact our advisors.

A solicitor talks to a client and answer the question, "How long do you have to report a data breach?"

How Can Public Interest Lawyers Help Me Make A No Win No Fee Claim?

Now that you know more about how to report a data breach and why reporting a data protection breach can be important, you might be wondering how Public Interest Lawyers could help you. Our team of advisors are available 24/7 to offer helpful advice on data breach compensation and can help you identify whether or not you have a valid claim. If you do, then they may pass you on to a solicitor from our panel.

There are many benefits to working with a solicitor on your data breach claim. For example, they could help you gather evidence to support your claim and could also help you negotiate a settlement.

Our panel of No Win No Fee solicitors are experts in data breach law and could help you through a Conditional Fee Agreement (CFA). Under this kind of agreement, they won’t take a fee at the start of your claim or as it progresses for their services. Similarly, if your claim doesn’t succeed, they won’t take a fee for their work.

If your claim succeeds, a small percentage of your compensation will be directed to your solicitor as a success fee. However, this percentage is capped by legislation, which helps to ensure that the majority of what you receive stays with you.

Contact Our Team

If you’d like to learn more about how our panel of data breach solicitors could help you, contact our team of helpful advisors today. To start your free consultation:

Learn More About How Long You Have To Report A Data Breach

Thank you for reading our guide to how long do you have to report a data breach.