Reporting and Claiming For UK GDPR Breach

By Danielle Newton. Last Updated 27th September 2023. The European Union in 2018 created a directive known as the General Data Protection Regulation GDPR. The Data Protection Act DPA 2018 enacted these regulations into UK. Since the Withdrawal Agreement the UK have now created their own version of the General Data Protection Regulation UK GDPR and this runs closely alongside the updated version of the Data Protection Act 2018.

How to report a GDPR breach guide

How to report a UK GDPR breach guide

These new laws look to add better protection to your personal data when it is being processed. If these laws are not adhered to by those who decide why and in what way personal data should be used then this information is at risk of being breached. If a data controller, such as an organisation that decides what data they will collect and for what purpose breached the UK GDPR then they could be liable if your personal information is exposed.

We can only cover the basics in this guide. Your claim is going to be at least partially unique. This means we may not cover every question you have on this page. If this is the case, you can have your additional questions answered by our claim advisors. You can give them a call on 0800 408 7825, or request a callback using our contact form.

Select A Section:

What Is A Breach Of The UK GDPR?

A breach of the UK GDPR could happen if a data controller, an organisation that decides why and how personal information will be collected, does not adhere to this piece of legislation. By not applying these regulations they are putting your personal data at risk of a data breach.

A data breach is a security incident that means personal data or sensitive data has been lost, stolen, destroyed or altered. It can also mean it has been accessed or disclosed without authorisation. This can be done accidentally or through deliberate actions.

Some data breaches are the result of outside influences. Such as a cybercriminal breaching security protocols and gaining access to data. Others are caused by poor computer and network security. Simple mistakes due to human error can also result in a data breach.

What Data Is Protected?

Not all data is protected by the laws you will see below. There are certain categories of information that must be kept secure under these laws.

There are a number of bodies of legislation that could apply to your data. This includes UK General Data Protection Regulation (UK GDPR), which is separate to EU GDPR. It also includes the Data Protection Act 2018 (DPA). Data protection principles outlined in these regulations protect your personal and special data. Below, is a short explanation of each of these.

  • Personal data is all the unique data that is applicable to you. Examples would be your name, postal address and email address, your phone number, data of birth, debit card and credit card information, bank account details, etc.
  • Special data is information that although not unique to you, can be used to identify something about you. For example, your racial background, religious beliefs, sexual preferences, etc.

How to Report a UK GDPR Violation in the UK

This section will discuss how to report a UK GDPR breach in the UK. If you’ve been notified of a UK GDPR violation in the UK, you could report this to the Information Commissioner’s Office (ICO). The ICO is an independent body that regulates data privacy and ensures organisations are following data protection legislation.

The ICO may investigate a UK GDPR violation and impose penalties to any faulting organisation. If a UK GDPR data breach has occurred, an organisation should report to the ICO without undue delay and within 72 hours.

Should you have concerns about how your data has been breached, you should write to the responsible organisation. If you are not satisfied with the response, you may report a breach directly to the ICO but should do so within three months of the last time you had meaningful contact with the faulting organisation.

Speak to our advisors at any time, and they may connect you with a data protection solicitor from our panel.

Can I Make A Claim For A UK GDPR Breach?

In the same way as not all data breaches need to be reported to the ICO not all data breach victims will qualify for compensation. In order to make a valid personal data breach claim for compensation the onus is generally on the claimant/data subject to show how the data controller did not put the correct procedures in place to keep their personal information safe.

Also the data breach must have caused some type of damage. This is in the form of mental suffering or financial losses. It can even be a combination of both. You must be able to demonstrate through evidence how the data breach has affected you.

What Are Some Examples Of UK GDPR Violations?

The aim of the UK GDPR is to hold organisations accountable for the way they store and process the personal data of UK residents.

When a company does not adhere to the principles set out in the UK GDPR, they can be found to be in breach of it. Some examples of UK GDPR violations under UK law include:

  • A failure to update information: If a person informs an organisation about a change to their personal information, such as their address, it is the organisation’s responsibility to make sure the change is implemented. A failure to update information can lead to a personal data breach in the form of information being sent to the wrong person
  • Failure to be transparent: Data subjects have a right to be informed about their data. Collecting data about a person without informing them (if there is no lawful basis to do so in place) or a failure to properly respond to a data subject’s request about how their data is being used can be a data breach
  • Security: Organisations have a responsibility to ensure that they securely store personal data and that access to personal data is either fair or necessary. A failure to properly secure personal data is a UK GDPR violation and a breach if the information is then stolen or shared.

As we have mentioned, you are able to report a UK GDPR violation in the UK to the ICO – regardless of whether or not you are able to claim for the violation. The ICO can still investigate the organisation and possibly fine them.

If you are looking for help with how to report a GPDR violation in the UK or for information about whether you could be able to claim for a personal data breach, please speak with one of our team.

Do I Need Evidence When Filing A UK GDPR Report?

If you are eligible to make a personal data breach claim, collecting sufficient evidence could help support your case.

Some examples of evidence that could be used to help support your claim include:

  • Proof that your personal data was breached – Following a data breach, an organisation must inform you if your personal data was compromised with undue delay if they believe your rights or freedom may have been affected. You may have received an email or letter from them stating your personal data was breached, and this could be used as evidence in your claim.
  • Correspondence with the organisation responsible for the breach – If you discovered the data breach yourself, you could contact the organisation and ask them to clarify what personal data was involved in the breach.
  • Findings from the Information Commissioner’s Office (ICO) – You could report a GDPR breach that compromised your personal data to the ICO. They are an independent authority that upholds data protection law. If they decide to investigate the breach, their findings could be used as evidence in your claim. However, you must do this within three months of your last meaningful communication with the organisation responsible regarding the breach.
  • Proof that you suffered harm – For example, a copy of your medical records stating any psychological injuries you have been diagnosed with could be used as evidence of mental harm. A copy of your bank statements could help prove that you suffered financial loss.

Contact our advisors today if you have any questions about making a personal data breach claim following a breach of the UK GDPR, or how to report a breach to the ICO.

How Long Do I Have To Report A GDPR Violation In The UK? 

The answer to this question can depend on a few different factors. One of the most important considerations is who your claim is against. This will affect the time limit by which you’ll need to abide.

Generally, you have 6 years to make a data breach claim. In cases where you’re claiming against a public body, you have 1 year.

There can also be a few different scenarios where these time limits can be extended. However, this needs to be assessed on a case-by-case basis.

We understand that you may have additional questions about the time limits surrounding data breach claims. If so, our advisors are always on hand to help. They can even answer other questions such as “what is a breach of GDPR?”, as well as telling you how to report a GDPR breach in the UK.Reach out today.

Calculating Compensation For Data Breach Claims

Now that you’ve read through the our UK GDPR breach reporting guide, you may like more information about how a settlement could be calculated. If your data breach claim is successful, you could receive compensation for two types of damage. These are non-material and material damage. 

Non-material damage refers to any mental health harm that has been caused by the breach of your processed personal data. For guidance when valuing this type of compensation, legal professionals can refer to the Judicial College Guidelines (JCG).  This document lists guideline compensation amounts for various types of mental harm. 

In our table below, we look at guideline figures for mental health damage from the 16th edition of the JCG. As each claim is unique, it does not represent what you could receive. 

Mental Issue Severity Compensation Bracket Notes
General Psychiatric Damage Severe £54,830 to £115,730 Mental health issues, such as depression and anxiety, which have a poor prognosis and usually significantly impact the quality of life of the injured person.
General Psychiatric Damage Moderately Severe £19,070 to £54,830 Anxiety, and depression, among other mental disorders. The majority of awards fall somewhere in the middle despite the fact that awards support both extremes of the bracket. 
General Psychiatric Damage Moderate £5,860 to £19,070 There will already be some improvements and any lingering symptoms will not be major.
General Psychiatric Damage Less Severe £1,540 to £5,860 An award will be determined in part based on the severity of the impairment and the duration of the disability.
PTSD Severe £59,860 to £100,670 The person will not be able to function at a pre-trauma level. The person will potentially be negatively affected for the rest of their life.
PTSD Moderately Severe £23,150 to £59,860 It is likely that a person will make a fair recovery in this category, since professional care may help. There is still the possibility that the effects will result in a measurable level of disability, potentially for a very long time.
PTSD Moderate £8,180 to £23,150 In these cases, a sufferer is likely to recover fairly well, and any other mental health issues are unlikely to substantially hinder him or her.
PTSD Less Severe £3,950 to £8,180 In most cases, a complete recovery can be expected within a couple of years of diagnosis, while minor symptoms may persist.

Material Damage

If you experience financial losses due to the breach of your personal data, you might be able to receive compensation for these. For example, your banking details could be accessed by criminals due to a data breach. Also if you have needed to take time away from work due to the mental suffering caused by the data breach your loss of earnings could be claimed for as part of material damage. You should provide evidence, such as credit reports or bank statements to recover your losses. 

If you would like to find out more about how to report a GDPR breach and what you could claim, speak to one of our advisors. 

Reporting A UK GDPR Breach – Additional Compensation You Could Seek

Financial losses in a data breach are known as material damage. Losses could be caused by:

  • Loss of income – if the breach has disrupted your ability to work
  • Replacement or repair costs for any breached items
  • Theft, if your information is used fraudulently.

If an organisation does not reimburse you for your losses, then you could potentially make a claim for compensation for material damage.

Please reach out to one of our advisers if you would like to learn more about how to report a GDPR breach to an organisation to directly ask for compensation. You could also make a report to the ICO, though they encourage you to first speak with the organisation liable for the breach of the UK GDPR. The report you make to the organisation could detail the harm that was caused to you and discuss a claim.

 Make A No Win No Fee Claim Following A UK GDPR Breach

We may be able to organise a solicitor to process your claim under a No Win No Fee agreement. Meaning no upfront payment to your solicitor to start the claim, and no solicitor fee to pay as the claim progresses.

If the claim is lost, your lawyer will not expect to collect a fee. If it is won, the success fee (which is legally limited) that you agreed on before the claim commenced may be due.

To tie up this guide on how to report a UK GDPR breach, we want to explain how you can get more help. Our claims advisors are available to provide free legal advice using the details below.

Telephone: 0800 408 7825

Or use our webchat or contact form.

GDPR Resources

Here are some useful web pages.

Cyber Security Breaches Survey 2021

Data Protection In The UK

Cyber Security Breaches Survey 2020

Here are some other claims guides to read over.

Claiming Data Breach Compensation

Claim For A Failure To Use BCC

Stolen Or Lost Device Data Breach Claims