How to Report A UK GDPR Breach And Make A Claim

How to report a GDPR breach guide

How to report a UK GDPR breach guide

By Max Morris. Last Updated May 20th 2022. The European Union in 2018 created a directive known as the General Data Protection Regulation GDPR. The Data Protection Act DPA 2018 enacted these regulations into UK. Since the Withdrawal Agreement the UK have now created their own version of the General Data Protection Regulation UK GDPR and this runs closely alongside the updated version of the Data Protection Act 2018.

These new laws look to add better protection to your personal data when it is being processed. If these laws are not adhered to by those who decide why and in what way personal data should be used then this information is at risk of being breached. If a data controller, such as an organisation that decides what data they will collect and for what purpose breached the UK GDPR then they could be liable if your personal information is exposed.

We can only cover the basics in this guide. Your claim is going to be at least partially unique. This means we may not cover every question you have on this page. If this is the case, you can have your additional questions answered by our claim advisors. You can give them a call on 0800 408 7825, or request a callback using our contact form.

Select A Section:

How To Report A UK GDPR Breach?

A breach of the UK GDPR could happen if a data controller, an organisation that decides why and how personal information will be collected, does not adhere to this piece of legislation. By not applying these regulations they are putting your personal data at risk of a data breach.

A data breach is a security incident that means personal data or sensitive data has been lost, stolen, destroyed or altered. It can also mean it has been accessed or disclosed without authorisation. This can be done accidentally or through deliberate actions.

Some data breaches are the result of outside influences. Such as a cybercriminal breaching security protocols and gaining access to data. Others are caused by poor computer and network security. Simple mistakes due to human error can also result in a data breach.

What Data Is Protected?

Not all data is protected by the laws you will see below. There are certain categories of information that must be kept secure under these laws.

There are a number of bodies of legislation that could apply to your data. This includes UK General Data Protection Regulation (UK GDPR), which is separate to EU GDPR. It also includes the Data Protection Act 2018 (DPA). Data protection principles outlined in these regulations protect your personal and special data. Below, is a short explanation of each of these.

  • Personal data is all the unique data that is applicable to you. Examples would be your name, postal address and email address, your phone number, data of birth, debit card and credit card information, bank account details, etc.
  • Special data is information that although not unique to you, can be used to identify something about you. For example, your racial background, religious beliefs, sexual preferences, etc.

How to Report a GDPR Violation in the UK

The regulatory body that oversees data privacy and security in the UK is called The Information Commissioner’s Office (ICO). This section will clarify how and if you need to report a GDPR breach.

An organisation should report a GDPR violation in the UK that has affected the rights and freedoms of the data subject. This should be reported to the ICO, and should be done without undue delay, but within 72 hours. You should be informed about a data breach that threatens your rights and freedoms without undue delay.

If you’re worried about the way an organisation has processed your data, then you can report this to the ICO directly. For example, an airline may have sent your payment details to another address even when you supplied them with up-to-date contact details. If you become aware of this and are not satisfied with their response, you can report it to the ICO within 3 months of the last meaningful communication with them.

When You Do Not Need To Report A UK GDPR Breach

Not every possible data breach needs to be reported. The severity of the breach will drive the reporting requirement. Generally, if a data subject is at risk, meaning their personal information has been exposed then it is very likely that this will need top be reported.

Can I Make A Claim For A UK GDPR Breach?

In the same way as not all data breaches need to be reported to the ICO not all data breach victims will qualify for compensation. In order to make a valid personal data breach claim for compensation the onus is generally on the claimant/data subject to show how the data controller did not but the correct procedures in place to keep their personal information safe.

Also the data breach must have caused some type of damage. This is in the form of mental suffering or financial losses. It can even be a combination of both. You must be able to demonstrate through evidence how the data breach has affected you.

What Evidence Do I Need For A Data Breach Claim?

If your personal data has been exposed, this could mean that personal information such as your bank account details are in the hands of a third party. Similarly, your credit card information may have been exposed. Also you may have suffered mental illness and distress as a consequence of the personal data breach.

It is important to gather evidence to show your suffering. This could include; correspondents from the organisation about the data breach, medical records to show your suffering, bank and credit card statements to show your losses. 

Calculating Compensation For Data Breach Claims

Now you know how to report a UK GDPR breach, we can look at the claim itself. Dealing with the aftermath of a data breach could be traumatic, causing mental harm. This mental suffering could have come about because your personal information has been exposed.

The table below shows example ranges for non-material damages for mental health problems. It is based on the Judicial College guidelines used by the legal system to value injuries. The figures have been taken from the most up-to-date ones available, published in April 2022. You can also try using our compensation calculator.

Mental IssueSeverityCompensation BracketNotes
General Psychiatric DamageSevere£54,830 to £115,730Mental health issues, such as depression and anxiety, which have a poor prognosis and usually significantly impact the quality of life of the injured person.
General Psychiatric DamageModerately Severe£19,070 to £54,830Anxiety, and depression, among other mental disorders. The majority of awards fall somewhere in the middle despite the fact that awards support both extremes of the bracket. 
General Psychiatric DamageModerate£5,860 to £19,070There will already be some improvements and any lingering symptoms will not be major.
General Psychiatric DamageLess Severe£1,540 to £5,860An award will be determined in part based on the severity of the impairment and the duration of the disability.
PTSDSevere£59,860 to £100,670The person will not be able to function at a pre-trauma level. The person will potentially be negatively affected for the rest of their life.
PTSDModerately Severe£23,150 to £59,860It is likely that a person will make a fair recovery in this category, since professional care may help. There is still the possibility that the effects will result in a measurable level of disability, potentially for a very long time.
PTSDModerate£8,180 to £23,150In these cases, a sufferer is likely to recover fairly well, and any other mental health issues are unlikely to substantially hinder him or her.
PTSDLess Severe£3,950 to £8,180In most cases, a complete recovery can be expected within a couple of years of diagnosis, while minor symptoms may persist.

Material Damages Explained

You may also be able to claim material damages for financial loss caused by a personal data breach.

In 2015, the case Vidal-Hall and others v Google Inc was heard by the Court of Appeal. The claimants were awarded non-material damages even though they suffered no financial harm. Setting a precedent for you to potentially do the same.

Contact Us If You Have Been Affected By A UK GDPR Breach

We may be able to organise a solicitor to process your claim under a No Win No Fee agreement. Meaning no upfront payment to your solicitor to start the claim, and no solicitor fee to pay as the claim progresses.

If the claim is lost, your lawyer will not expect to collect a fee. If it is won, the success fee (which is legally limited) that you agreed on before the claim commenced may be due.

To tie up this guide on how to report a UK GDPR breach, we want to explain how you can get more help. Our claims advisors are available to provide free legal advice using the details below.

Telephone: 0800 408 7825

Or use our webchat or contact form.

GDPR Resources

Here are some useful web pages.

Cyber Security Breaches Survey 2021

Data Protection In The UK

Cyber Security Breaches Survey 2020

Here are some other claims guides to read over.

Claiming Data Breach Compensation

Claim For A Failure To Use BCC

Stolen Or Lost Device Data Breach Claims