How To Report A Data Breach Incident
By Daniel Archer. Last Updated 22nd February 2023. In this guide, we’re going to look at how to report a data breach. Your data may have been exposed due to some kind of failure by an organisation to comply fully with the General Data Protection Regulation (GDPR). We look at how data breaches happen and why you may be in a position to make a claim if you suffer financial or mental harm because of one.
We’ll focus on how breaches are reported to the ICO, what can be reported and the steps you could take afterwards.
Claims are unique. Each is based on a specific set of circumstances. Therefore, we understand you might have questions that fall outside of the scope of this guide. If this is the case, you can call our claims team on 0800 073 8804. They can help you further.
Alternatively, you can contact our advisors through the live chat on this page. You can also send a note through our contact page if you’d prefer. Or email us at firstname.lastname@example.org. Our claims advisors are available 24 hours a day, 7 days a week. What’s more, you won’t be under any obligation to proceed with the services of our solicitors after getting in touch.
Select A Section:
- A Guide On How To Report A Data Breach
- What Is A Data Breach?
- How Do I Know If My Data Privacy Has Been Breached?
- What Data Breaches Can Be Reported To The ICO?
- What Information About My Data Breach Will I Need To Give When Making A Report?
- How To Report A Data Breach To The ICO
- Reporting Data Breaches – How Long Do You Have?
- What Happens When You Report A Data Breach Incident?
- What Types Of Compensation May Be Awarded For Data Breaches?
- Calculating Compensation Awards For Data Breach Incidents
- How A Data Breach Solicitor Could Help You
- No Win No Fee Claims For Breaches In Data Protection
- Start A Claim For Data Protection Breaches
- Additional Services
You are reading a guide about how to report data protection breach. If you have been the victim of a personal data breach and it caused you mental harm or financial loss, you could be in a position to make a compensation claim.
Organisations that decide how and why personal data should be processed are known as data controllers. In the UK, they have to comply with rules and regulations related to data privacy and security. This includes the Data Protection Act 2018, which enacted the GDPR into UK law. When they don’t comply, a data breach could occur.
The first few sections of this guide give background information about data breaches. We look at why they occur, how you can be affected and under what circumstances you could claim compensation.
We will also look at the process of reporting a personal data breach to the Information Commissioner’s Office (ICO). This includes what you can report, and what information you will need to provide the ICO. Time limits are also covered.
The later sections of this guide cover the claims process. We explain the two types of damages you might be able to claim, as well as provide a compensation table to help you value any psychological injury the breach may have caused. Lastly, you will learn about the benefits of making a No Win No Fee claim.
Do You Need More Help?
We understand that this guide might not have the answers to all of your questions. Moreover, you might want to gain an understanding of personal data breach claims from a real person. If this sounds like you, please do take the time to call our advisors on the number at the top of the page. Our advisors are available 24 hours a day, every day. They can also put you in touch with our solicitors, who offer No Win No Fee agreements.
Before we look at how to report a data protection breach in the UK, we’ll explore what a personal data breach is. Every organisation that processes personal information in the UK has to comply with GDPR. This includes government bodies, healthcare providers, schools and businesses. If the organisation processes personal data, then GDPR will apply.
The GDPR has been enacted into UK law under the Data Protection Act 2018. It’s aimed at ensuring you have more control over your data and that organisations protect your data. If compliance fails, then a personal data breach might occur. Breaches can be accidental or deliberate and occur when a breach of security causes personal data to be unlawfully:
There is a process that you may choose to follow if this happens, that we will look at later in this guide.
How Does A Data Breach Happen?
Data breaches can happen for a number of reasons. However, two root causes are:
- Mistakes or accidents. For example, an employee might send an email containing personal data to an unauthorised recipient due to an email address mix up.
- Malicious activity, such as a cyberattack.
We will go over each of these in their own section below. It is important to note that, in either instance, the data controller or the data processor could be liable to pay compensation.
A data processor acts on the instructions of a data controller. For example, an agency might process data for a data controller. If they didn’t provide sufficient security measures and caused a breach, they could be liable.
Accidental Data Breaches
In this category, data breaches happen due to error or oversight. An employee of the organisation, for example, may cause a personal data breach. Examples include:
- An employee accidentally emailing your personal data to somebody who is not authorised to have it.
- A lost or stolen laptop that had your data stored on it.
- A removable storage device such as an external hard drive or USB stick being thrown away, without destroying the data.
- Sending personal information in a letter addressed to an incorrect recipient who is unauthorised to view the personal data.
- Leaving a monitor switched on that is displaying personal data for anyone to read.
Malicious Data Breaches
Organisations should ensure that their computers and systems are secure from external tampering and access. Unfortunately, cybercriminals can find vulnerabilities and exploit data that isn’t properly protected. Examples of ways they might do this include:
- Trying to trick staff members into divulging login information in a phishing attack.
- Using spyware to steal sensitive data.
- Using ransomware to hold personal data to ransom.
Malicious data breaches don’t always have to be online, however. Personal data held on paper records could be accessed and exploited too. To find out more, contact our advisors.
How Can A Data Breach Cause You A Problem?
The next thing we need to cover before we look at how to report a data breach is the effect that a personal data breach can have on your life. We share our personal data with a wide range of bodies, from the Government to websites. We may also share sensitive data such as:
- Passport information
- Credit and debit card information (such as numbers, expiry dates and CVV codes)
- Bank account details (such as account number and sort code)
- Home address
- National Insurance number
- Driving licence details
- NHS patient number
- Phone number
And the list could go on. This information, if in the wrong hands, could be used nefariously. In a worst-case example, your identity could be stolen. The cybercriminal could:
- Buy things using your credit cards.
- Take out new loans.
- Take over your bank accounts.
- Open new bank accounts.
Once the cybercriminal has enough of your private data to make out they are you successfully, they could do real harm. You could not only suffer financially but mentally too. You may experience anxiety or depression.
Reporting Data Breaches – The Evidence You’ll Need To Claim
Understanding how to report a UK GDPR breach is important as doing so can ensure you have evidence to support your potential claim. For example, when reporting the breach to the organisation involved by sending an email or letter, you can keep this correspondence detailing the nature of the breach as evidence.
Additionally, if you report the breach to the ICO, they could choose to investigate the incident. As such, you could use their findings to support your potential claim.
Other examples of evidence you could gather to support your claim includes:
- Financial records – A data breach could mean that your finances become compromised. For example, your bank details may have been included in the data that was leaked. If so, it could be that unauthorised and unfamiliar payments show up on your bank statement.
- Medical records – This can help prove any psychological harm you have sustained as a result of the personal data breach. For example, you may have suffered from stress, anxiety or distress.
For additional examples of the evidence you can gather, or general guidance on data breach claims, get in touch with our advisors today. Alternatively, continue reading to learn how long you have to report a data breach.
Before you report a data breach, you should try to discover how it occurred. If there has been a personal data breach that risks your rights and freedoms, the organisation should inform you. For example, they may send a letter or email advising you of the breach.
There are some indicators that your data has been accessed by criminals, such as:
- Receiving emails telling you your passwords have been changed.
- Phone calls from your bank querying large or suspicious transactions.
- Telephone calls from businesses confirming orders you didn’t place.
- Being sent SMS with one time use access codes that you didn’t request.
All of these are suspicious activities that could point to your data being accessed and used by cybercriminals. However, there are other kinds of data breaches that don’t result in financial loss and aren’t necessarily caused by criminals.
Breaches In Data Integrity
Organisations that process your personal data should ensure it is correct under the law. In some cases, incorrect data could have an adverse effect on your life. As an example, you discover such a breach if you apply for a loan and find that it is declined because there is incorrect data on your credit report. If you suffer financially or mentally because of this, the company that has stored the wrong data about you could be liable for compensation.
Data Breaches In Data Confidentiality
Part of learning how to report a breach of data protection is understanding why you need to make a complaint in the first place. Your personal data is, well, private. When you share it with an organisation, in many circumstances they are obligated to keep it secure, safe and confidential.
This means it should only ever be used for the purpose that it was provided for and should not be shared with a third party unless you give your consent or there is a lawful reason why the organisation doesn’t need your consent. However, mistakes can be made, and your data can be shared with the wrong parties. Or a successful cyberattack could breach confidentially.
You may know about a breach in data confidentiality if an unauthorised colleague at work, for example, advises you they received your annual salary uplift letter. If you ever suspect you’re the victim of a personal data breach but haven’t had confirmation, it is best to advise the organisation that potentially caused the breach directly.
Breaches In Data Availability
This is possibly the most difficult type of personal data breach to identify without a notification from the data controller or processor. That’s because, here, the breach relates to personal data that has been lost.
You may discover this has happened if you need to retrieve or access your personal data. After getting in touch with the data controller to access it, for example, they may advise you that they can’t find it, even though it was with them before and they’ve not destroyed it.
When an organisation loses your data, it can have mental and financial repercussions on your life. If it does, they could be liable to pay compensation.
Part of how to report a data breach under GDPR is knowing what types of data breaches can be reported to the Information Commissioner’s Office.
Organisations only have to report certain data breaches to you and the ICO. If the breach poses a likely risk to affected data subjects’ rights and freedoms, they should tell the ICO. (A data subject is someone whose data is processed by a data controller or processor.) They should also tell the data subject.
You would only report a data breach to the ICO if, after discovering you were the victim of one, you contacted the organisation responsible. If they didn’t appropriately respond, you could contact the ICO about the breach within 3 months of the organisation’s final reply. The ICO may then investigate, but undue delays in reporting can affect their decisions.
You can call our claims team for help if you are struggling to classify your own data breach and would like to know if you could report it.
When you make a complaint to the ICO, you should provide correct information about the personal data breach. You can report personal information concerns through their website.
The form will request information. You can provide:
- A description of the situation.
- How you found out the data breach, and when.
- Details about the people that the personal data breach has affected or will affect.
- Proof that you have contacted the organisation.
- What you have done in response to the data breach.
- The organisation’s contact details.
- Your contact details so that the ICO can follow up the complaint with you.
When it comes to how to report a data breach, there are different ways that you can ask for advice to submit a complaint to the ICO. And these are:
- You can call the ICO and ask for advice on how to make a complaint.
- During office hours, you can use the ICO live chat.
If you are ready to report a data breach, however, and have taken the appropriate steps beforehand, you can fill out an online personal information concerns form.
When reporting a data protection breach of personal data to the ICO, you must do so within a certain period The ICO recommends that the reporting of data breaches should be done without undue delay. Generally, this would be within 3 months of the last meaningful contact you had with the organisation responsible for the personal data breach. The ICO can then decide whether to investigate the breach or not. If they do, their findings could be used as evidence.
However, it is important to note that you do not have to report the data breach to the ICO in order to make a claim for compensation. Additionally, organisations are only obligated to report any data breaches they experience if they believe the breach will affect people’s rights and freedoms. This must be done within 72 hours of the breach happening.
Contact our advisors today if you are still unsure how to report a data breach of personal information.
When you make a complaint to the ICO about a data breach, the ICO will take appropriate action. They may investigate and they may issue a fine to the organisation. They may even suggest changes in the organisation’s data protection processes. However, this is at their discretion and depends on varying factors.
To find out more about personal data breach claims, get in touch with our advisors. They’re available 24/7.
If you make a valid data breach claim, you could receive damages for psychological harm or financial loss (or both). In the case Vidal-Hall and others v Google Inc , a successful claim was made for psychological harm. You may be able to claim for the stress and trauma of dealing with a personal data breach, and of dealing with the aftermath.
Before this case, claimants could only seek compensation for psychiatric damage if they’d also suffered financial harm. The court heard that settlements made for psychological harm should be valued as they are in personal injury claims. Compensation for mental harm is known as non-material damages.
If you have lost out financially due to a data breach, you may also try to recoup some of this loss as part of your claim. For example, if your credit cards were taken to the limit by a cybercriminal, you could be able to claim this loss back. Compensation for financial loss is known as material damages.
If you seek compensation for psychological harm after you report a privacy breach, how much you could claim depends on the severity of the harm, as well as other factors. The compensation table below is based on figures from the Judicial College Guidelines. This is a publication solicitors may use to help them value injuries and conditions.
|Type of Harm||Severity||Notes||Amount|
|Mental harm||Severe||Various aspects of the person's life have been negatively affected and they will also have a poor prognosis.||£54,830 to £115,730|
|Mental harm||Moderately Severe||A more positive prognosis despite significantly struggling with aspects of life.||£19,070 to £54,830|
|Mental harm||Moderate||A good prognosis with marked improvements despite struggling with various issues.||£5,860 to £19,070|
|Mental harm||Less severe||How much is awarded will be impacted by factors such as how much sleep was affected.||£1,540 to £5,860|
|Anxiety Disorder||Severe||the person will be unable to live as they did previously due to permanent effects. All areas of life will be negatively impacted.||£59,860 to £100,670|
|Anxiety Disorder||Moderately Severe||Following a better prognosis, there is some room for recovery with medical professional help. However, the person is still likely to have a disability for a while.||£23,150 to £59,860|
|Anxiety Disorder||Moderate||A large recovery will have taken place and any persisting symptoms will only be minor.||£8,180 to £23,150|
|Anxiety Disorder||Less Severe||Within 1-2 years an almost full recovery will have been made.||£3,950 to £8,180|
In order to prove that you’ve suffered a worsened psychological state or your condition was fully caused by the breach, you’ll need to attend an independent assessment. The assessment would also prove the severity of your condition and you (or your solicitor, if you choose to use their services) can use the resulting report to value the mental harm.
If you can’t see your condition in the compensation table above, get in touch with our advisors. They offer a free estimation of how your psychiatric damage might be valued.
It isn’t necessary for you to use the services of a personal data breach solicitor. However, we believe that a good solicitor can be a great support. They can do the following:
- Cut through the legal jargon
- Build your case with you
- Explain what evidence you could use and help you prepare it
- Put you in touch with an independent medical professional
- Represent you in court (if the claim isn’t settled beforehand)
If you have a valid claim, we could put you in touch with an experienced data privacy lawyer who understands the process of making a data breach claim and can try to ensure you have the best chance of winning it.
You can call at any time of the day. We’ll answer your questions at no charge to you.
If you can prove that you suffered either mentally or financially because of a personal data breach, you could be able to make a No Win No Fee data breach claim. That means you don’t pay your lawyer a fee unless your claim has been won. You could also benefit from:
- No upfront solicitor’s fee to pay
- No solicitor’s fee to pay if you lose your claim
- Legal advice throughout your claim
- You only pay the solicitor’s fee once the compensation has come through
If you win your claim, you would have to pay your solicitor a success fee. However, this is limited by law. To find out more about No Win No Fee agreements, get in touch through any of the routes below.
Now you have learned how to report a personal data breach, are you ready to move on a make a compensation claim? All that you have to do is:
- Call our claims team on 0800 073 8804.
- Use our contact page.
- Email us at email@example.com.
- Use our live chat.
An expert advisor will evaluate your claim for you, and tell you what your next move could be. They’re available 24/7 and won’t oblige you to proceed with our services.
These websites all have information that you might find useful.
Find out how to claim bank data breach compensation. Learn more about the claims process with our guide.
A more recent and significant data breach occurred at South Staffordshire Water PLC. Following a cyber attack, the personal and potential financial data of customers was exposed and reportedly leaked online. We’re representing a number of affected individuals, so if you’d like to learn more about the South Staffs Water data breach, head here.
Also, these other guides could be worth reading over.
Thank you for reading our guide on how to report a data breach.
Written by Wheeler
Edited by Victorine