This guide looks at frequently asked questions for data breach claims. We aim to explore what a data breach is, why they happen and who could be responsible. Additionally, we will look at the compensation you could receive following a successful claim.
Data breaches can be a common problem, with 39% of UK businesses reporting a cyber attack in 2022. Organisations have a responsibility as per data protection law to protect your personal data. If they fail to do so, it could impact you in several ways, including psychologically or financially.
This guide will help you understand when you might be eligible to claim for a personal data breach that has caused you harm.
Although we have aimed to answer your questions, we understand you may still require other information. If so, you can get in touch with our team. To contact them, you can:
- Call on 0333 000 0729
- Fill out the online contact form
- Use the live chat feature
Select A Section
- What Is A Data Breach?
- How Do Data Breaches Happen?
- What Should Companies Or Organisations Do After A Data Breach?
- When Can Your Data Be Used Without Your Consent?
- How Much Can You Claim For A UK GDPR Breach?
- Why Choose Legal Helpline?
What Is A Data Breach?
Before we look at what a data breach is, it’s useful to understand what personal data is and why organisations use it. Personal data can be any piece of information that, when used alone or in conjunction with other details, can identify you. This can include your name, phone number, medical data and banking information.
There are two pieces of data protection law that outline an organisation’s responsibilities for protecting your personal data. These are the Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR). The DPA was updated after the UK left the EU. As per the UK GDPR, a personal data breach can be defined as a security incident leading to your personal information being destroyed, lost or altered either accidentally or unlawfully. It can also include your personal information being accessed or disclosed without authorisation.
An independent body called the Information Commissioners Office (ICO) strives to uphold the data protection rights of the general public. They can investigate and issue penalties against any party that fails to adhere to these laws causing a breach of your personal data.
Central to any compensation claim for a personal data breach would be the ability to show how an organisation failed to adhere to data protection laws and caused your personal data to become compromised. You must also show that you sustained financial damage or mental harm as a result.
If the ICO investigates an organisation that has failed to protect your personal data, you could use these findings as evidence to support your potential claim. Speak to our team for further clarification on whether you’re eligible to seek compensation.
How Do Data Breaches Happen?
There are many ways that a data breach can occur, from cyber-attacks such as phishing scams and malware attacks to human error. Some common human error problems that could give rise to a data breach include:
- Staff from the human resources department sending letters to the wrong recipient or address
- Emails sent to the wrong recipient
- Failure to redact data before sharing it
- Verbal disclosure to unauthorised people in social services
- The loss or theft of devices that contain personal data, such as laptops or smartphones
Our team can tell you if you could have a valid claim for compensation when you get in touch today.
What Should Companies Or Organisations Do After A Data Breach?
Organisations should inform data subjects without undue delay if the breach has affected their rights and freedoms. They also need to inform the ICO if the breach meets the threshold for reporting. If it does, they must do so within 72 hours.
What Can The Data Subject Do?
As the impacted data subject, you can raise a concern with the ICO directly. The ICO does not provide compensation. However, they may open an investigation into the breach. Depending on the results of the investigation, they may impose a fine on the organisation or take other enforcement action.
You could also start a claim if you’re eligible. Currently, there is a 6-year time period to start a personal data breach claim. However, this reduces to 1 year when claiming against a public body. Our advisors can tell you how these limits could affect your claim when you get in touch today.
When Can Your Data Be Used Without Your Consent?
Organisations are allowed to process your personal data, but they must do so according to 7 principles. One of these is having a lawful basis for processing. There are several lawful bases and it will depend on the purpose for processing as to which one will apply to an organisation.
One of the lawful bases is consent. Consent is a key part of sharing personal data, as is the right to withdraw consent. However, it is only one of the six lawful bases for processing your personal data and is no more important than the other five. As such, an organisation may not always need your consent if they have another lawful basis for processing.
Contact our advisors today to find out more about when you may be eligible to make a data breach claim.
How Much Can You Claim For A UK GDPR Breach?
Following a successful personal data breach claim, you could receive up to two types of damages. Material damages account for the financial harm you suffer as a result of the breach, such as:
- Money stolen from your bank account or through credit card theft
- Debts taken out in your name by identity thieves
You will require documented proof to support your claim. Credit card statements, bank statements and your annual credit score can be presented as evidence and could form part of the calculation for your compensation.
Non-material damages refer to the psychological injury you have experienced as a result of the personal data breach. This can include psychiatric harm, anxiety, depression, or post-traumatic stress disorder (PTSD). Previously, non-material damages were only available to those claiming material damages. However, a precedent was set in the Court of Appeal for the Vidal-Hall & Others v Google Inc. (2015) case. Due to this, non-material damages can be claimed without also claiming material damages.
While there are no average payouts for a personal data breach claim, you can use the Judicial College Guidelines (JCG) to see guideline compensation payouts for non-material damages. These are guidelines that legal professionals use to help assign value to personal data breach claims. The table below illustrates some of the figures from the April 2022 publication of the JCG. Please only use these figures as a guide.
Type of Psychological and Psychiatric Injury | Compensation Bracket | Notes |
---|---|---|
PTSD - Post-Traumatic Stress Disorder- Severe (a) | £59,860 to £100,670 | Permanent impact on all aspects of the person's life. |
PTSD - Post-Traumatic Stress Disorder- Moderately Severe (b) | £23,150 to £59,860 | A better prognosis than in more severe cases due to professional help. |
PTSD - Post-Traumatic Stress Disorder - Moderate (c) | £8,180 to £23,150 | The person will have mostly recovered, with some non-grossly disabling issues continuing. |
PTSD - Post-Traumatic Stress Disorder - Less Severe (d) | £3,950 to £8,180 | A mostly full recovery within a couple of years. |
Psychiatric Injury of a General Type - Severe (a) | £54,830 to £115,730 | The person will have a very poor prognosis. |
Psychiatric Injury of a General Type - Moderately Severe (b) | £19,070 to £54,830 | A more optimistic prognosis but the person will still experience significant issues. |
Psychiatric Injury of a General Type - Moderate (c) | £5,860 to £19,070 | A good prognosis and significant improvement. |
Psychiatric Injury of a General Type - Less Severe (d) | £1,540 to £5,860 | Daily activities and sleep are affected. |
For a free estimation of what your individual claim could be worth, contact our team today.
Why Choose Legal Helpline?
Our panel of solicitors can help guide you through your claim by providing legal representation under a type of No Win No Fee agreement. A Conditional Fee Agreement (CFA) means you do not pay an upfront fee to your solicitor for their services. If your claim is successful, there will be a success fee to pay. This is a percentage with a legal cap. However, if your case is not successful, there will be no success fee to pay.
To find out how a solicitor from our panel could help represent your personal data breach claim, contact our advisors today. You can get in touch by:
- Calling on 0333 000 0729
- Filling out the online contact form
- Using the live chat feature
Learn More In Our Data Breach Claims Guide
For more helpful guides:
- Information on comparison site data breach claims
- Further details about bank data breach compensation claims
- Data breach compensation claims against the NHS
- How To Claim For A Breach of Children’s Services Data
- Can My Employer Share My Personal Information With Other Employees In The UK?
- Solicitors Lost My Medical File – Can I Claim?
Or, for further guidance on making a data breach claim:
- ICO – Make a complaint
- ICO – Data security incident trends
- NCSC – Information on cyber security for individuals and families
We hope this guide has answered your questions on data breach claims. Please get in touch if you need any other information.
Written by JJW
Edited by CH/MMI