Welcome to our guide about claims for breach of UK GDPR. We’ll cover the rights you have as a data subject to have your personal data protected by data controllers. (A data subject is someone whose personal data is processed. A data controller decides how and why this personal data is processed.)
Furthermore, our guide aims to provide you with information on what defines a data breach, how it may be caused and the impact it can have both psychologically and financially.
Additionally, we’ll explore the role the UK GDPR and Data Protection Act 2018 (DPA) have in regulating organisations’ handling of personal data. Also, we’ll look at the role the Information Commissioner’s Office (ICO) has in the enforcement of data protection regulations.
It’s important to point out that not every data breach can lead to a claim. For that reason, you must have evidence that the party that was supposed to protect your personal data failed to do so due to positive wrongful conduct. You’ll also need to show you suffered harm as a result of the data breach.
For help navigating the often complex nature of data breach claims, it may be helpful to use the services of a solicitor. However, if you’re concerned about costs often required for solicitors’ services, our guide will explore the option of a No Win No Fee agreement.
For more information, continue reading our guide. Alternatively, you can get in touch with our advisors using the following contact details:
- Telephone – 0800 408 7825
- Fill out your details on the contact form
- Get instant advice from an advisor via our live chat below
Select A Section
- What Is The UK GDPR?
- What Is A Breach Of The UK GDPR?
- Who Could You Make Claims For Breach of UK GDPR Against?
- How Do GDPR Breaches Happen?
- What Types Of Damages Are Awarded In Claims For Breach Of UK GDPR?
- Calculating What Types Of Damages Are Awarded In Claims For Breach Of UK GDPR?
- Speak To Data Breach Claims Solicitors
- Learn More About Data Breach Claims
The UK GDPR is a framework for organisations on protecting the personal data they hold about data subjects. Furthermore, seven principles lie at the heart of the framework, that involves organisations:
- Having a lawful basis to use personal data
- Being clear about their purposes for processing
- Limiting the data they’re processing to what’s necessary
- Ensuring the data they hold is correct and up to date
- Not keeping personal data for longer than is necessary
- Having appropriate security measures in place to protect personal data
- Taking responsibility for what they do with personal data and complying with other principles
A data breach involves personal data being lost, destroyed, accessed, changed or disclosed in an unauthorised or unlawful way. It can occur either accidentally or deliberately by someone inside or outside the organisation.
Personal data or personal information is information that could directly or indirectly identify you, such as your name, address or email address. Other personal data might include information such as medical details.
There are different ways a breach of personal data could happen to both physical and digital documents or files. For example:
- Posting documents that enclose medical information to an unauthorised recipient
- A lost or stolen device containing personal data with no password protection
- Improperly disposing of bank statements causing them to be accessed without a lawful basis
- Leaving physical documents containing personal information in unlocked cabinets or out on desks for unauthorised persons to access
- Failure to use blind carbon copy (BCC) when including someone in an email to protect their email address from other recipients’ access
- Sending personal information in an email to the wrong person
- Leaving an unattended computer unlocked and personal data therefore easily accessible
- Poor data security leading to phishing and security hacks
If there is evidence that an organisation has breached personal data, the ICO may launch an investigation. If the organisation is found responsible, the ICO can issue fines and other enforcement actions.
For more information, visit the ICO website for examples of action they’ve taken.
A data controller determines how and why your personal data is going to be processed. In addition, they have a responsibility to protect the personal data they hold about you. Examples of a data controller might include:
- An employer
- Your local council
- A government department
- A Hospital
- GP surgery
However, data breaches don’t always mean that the data controller is liable or that you can make a data breach claim. A controller could have done everything reasonably possible to protect your personal data, but a breach still happens.
For that reason, in order to make a claim for a UK GDPR data breach, you must have evidence to prove that because a controller failed to take reasonable steps to protect your data:
- A breach occurred
- You suffered psychological or financial harm as a result.
For instance, they may have failed to provide training to employees on how to dispose of digital files safely, or they may not have provided standard security software.
A data breach could happen for many reasons, such as increasingly sophisticated cyber hacks. According to the Cyber Security Breaches Survey 2021, phishing attacks were the most common type of attack identified, affecting 83% of businesses and 79% of charities.
Additionally, human error could lead to a breach in data privacy. This may have been caused by a lack of consistent training on steps that can be taken to prevent breaches. In turn, this could lead to the following:
- Allowing unauthorised users to access company devices
- Poor password practices
- Poor management of high privilege accounts, e.g. admin accounts relating to personal data
- No encryption of personal data
Furthermore, the Cyber Security Breaches Survey 2021 found that organisations lacked awareness of government guidance on preventing breaches.
The graph below uses figures from the survey to highlight the percentage of 1,419 UK businesses and 487 charities that were aware of government guidance, initiatives or communication campaigns.
In successful data breach claims, your settlement may involve material damages that compensate you for any financial losses caused by the data breach. This could include past and future money lost after having your credit card details stolen, for example.
Additionally, your claim may include non-material damages that compensate you for any psychological harm you’ve experienced because of the breach.
It’s important to note that evidence will be required to support your claim for both material and non-material damages.
For instance, medical reports can be used to highlight the extent of any psychological harm you’ve experienced. Furthermore, you’ll need evidence of any financial losses, such as bank statements.
Before the case of Vidal-Hall and others v Google Inc , you could only seek data breach compensation for psychological damage if you had also experienced financial loss as well.
However, the Court of Appeal held that data breach compensation can be given for mental harm, even if there is no financial loss. For that reason, you can now seek compensation for psychological damage regardless of whether your finances were affected.
We have created a compensation table below detailing the different mental injuries you could claim for. To create this table, we used the Judicial College Guidelines (JCG). This is a document often used to help value claims alongside other evidence you provide in support of your claim for UK GDPR data breach.
However, you should only use the figures as an example because your final settlement figure will vary depending on several unique factors of your case.
|Type of damage||Level of damage||Notes||Example compensation figures|
|Psychological Injury||Severe||The person will have noticeable problems with their ability to cope with work, life and education as well as other factors. The prognosis will also be poor.||£51,460 to £108,620|
|Psychological Injury||Moderately severe||There will be significant problems with the person's relationships; however, there will be a better prognosis than above.||£17,900 to £51,460|
|Psychological Injury||Moderate||The person will have similar problems as those listed above; however, they will have shown a noticeable improvement and they will have a good prognosis.||£5,500 to £17,900|
|Psychological Injury||Less severe||The award given will depend on how long symptoms have affected the person and the extent to which they're affected.||Up to £5,500|
|Post-Traumatic Stress Disorder (PTSD)||Moderate||The person will have mostly recovered with some moderate ongoing issues.||£7,680 to £21,730|
|PTSD||Less severe||There will be some minor symptoms that persist but the person will have mostly recovered within one or a couple of years.||£3,710 to £7,680|
If you can’t see your injuries in the compensation table above, why not call our advisors?
For more information on claims for a UK GDPR data breach, you can get in touch with our advisors: they can answer any questions you may have.
Also, if you’re ready to seek compensation, they can assess your claim. If they feel it has a good chance of success, they could connect you with a solicitor from our panel, who could represent you on a No Win No Fee basis.
A No Win No Fee agreement means that you won’t be asked to pay solicitor fees if your claim fails.
Additionally, you can avoid upfront solicitor fees often required when hiring a solicitor to start work on a claim. Also, you could avoid paying solicitor fees during your claim.
If your claim wins, you’ll need to pay a success fee that will be deducted from your total compensation package. However, this is something your solicitor will make you aware of before starting your claim.
For more information, get in touch with our advisors on the details below:
- Telephone – 0800 408 7825
- Fill out your details on the contact form
- Get instant advice from an advisor via the live chat below
See our guide on making a claim following a wrong postal address data breach.
Our guide on making a claim following a wrong email address data breach could help.
We also have guides on personal injury claims if you’ve been injured and it wasn’t your fault.
Read about some data protection breach compensation examples.
See the ICO guidance on how to be more data-aware.
If you have concerns that someone has breached your data privacy, you could make a complaint to the ICO.
The ICO also have news about data protection developments.
We also have some other guides you may find useful:
- Public accident claims hot spots
- Council slip and trip accidents
- Public transport accidents
- How to make a public liability claim
- Making a claim against the council
- Claiming for a pothole injury
- Making a claim against a shop
- Accidents in a public park
- Cycling accident claims
- Claiming for injuries suffered while shopping
- How To Claim For A Foster Care Data Breach
- A Rehabilitation Centre Breached My Data – Can I Claim?
- How To Make A Stolen Phone Data Breach Claim
- Compensation Amounts After A UK GDPR Breach
- Who Can Claim For A Treatment Centre Data Breach?
- My Employer Breached The UK GDPR, How Do I Claim?
Thank you for reading our guide on claims for breach of UK GDPR.
Article by EI