How To Report A Data Breach Incident
How To Report A Data Protection Breach
In this guide, we’re going to look at how to report a data breach. Your data may have been exposed due to some kind of failure by an organisation to comply fully with the General Data Protection Regulation (GDPR). We look at how data breaches happen and why you may be in a position to make a claim if you suffer financial or mental harm because of one.
We’ll focus on how breaches are reported to the ICO, what can be reported and the steps you could take afterwards.
Claims are unique. Each is based on a specific set of circumstances. Therefore, we understand you might have questions that fall outside of the scope of this guide. If this is the case, you can call our claims team on 0800 073 8804. They can help you further.
Alternatively, you can contact our advisors through the live chat on this page. You can also send a note through our contact page if you’d prefer. Or email us at email@example.com. Our claims advisors are available 24 hours a day, 7 days a week. What’s more, you won’t be under any obligation to proceed with the services of our solicitors after getting in touch.
Select A Section:
- A Guide On How To Report A Data Breach
- What Is A Data Breach?
- How Do I Know If My Data Privacy Has Been Breached?
- What Data Breaches Can Be Reported To The ICO?
- What Information About My Data Breach Will I Need To Give When Making A Report?
- How To Report A Data Breach To The ICO
- How Long Do You Have To Report A Data Breach?
- What Happens When You Report A Data Breach Incident?
- What Types Of Compensation May Be Awarded For Data Breaches?
- Calculating Compensation Awards For Data Breach Incidents
- How A Data Breach Solicitor Could Help You
- No Win No Fee Claims For Breaches In Data Protection
- Start A Claim For Data Protection Breaches
- Additional Services
You are reading a guide about how to report data protection breach. If you have been the victim of a personal data breach and it caused you mental harm or financial loss, you could be in a position to make a compensation claim.
Organisations that decide how and why personal data should be processed are known as data controllers. In the UK, they have to comply with rules and regulations related to data privacy and security. This includes the Data Protection Act 2018, which enacted the GDPR into UK law. When they don’t comply, a data breach could occur.
The first few sections of this guide give background information about data breaches. We look at why they occur, how you can be affected and under what circumstances you could claim compensation.
We will also look at the process of reporting a personal data breach to the Information Commissioner’s Office (ICO). This includes what you can report, and what information you will need to provide the ICO. Time limits are also covered.
The later sections of this guide cover the claims process. We explain the two types of damages you might be able to claim, as well as provide a compensation table to help you value any psychological injury the breach may have caused. Lastly, you will learn about the benefits of making a No Win No Fee claim.
Do You Need More Help?
We understand that this guide might not have the answers to all of your questions. Moreover, you might want to gain an understanding of personal data breach claims from a real person. If this sounds like you, please do take the time to call our advisors on the number at the top of the page. Our advisors are available 24 hours a day, every day. They can also put you in touch with our solicitors, who offer No Win No Fee agreements.
Before we look at how to report a data protection breach in the UK, we’ll explore what a personal data breach is. Every organisation that processes personal information in the UK has to comply with GDPR. This includes government bodies, healthcare providers, schools and businesses. If the organisation processes personal data, then GDPR will apply.
The GDPR has been enacted into UK law under the Data Protection Act 2018. It’s aimed at ensuring you have more control over your data and that organisations protect your data. If compliance fails, then a personal data breach might occur. Breaches can be accidental or deliberate and occur when a breach of security causes personal data to be unlawfully:
There is a process that you may choose to follow if this happens, that we will look at later in this guide.
How Does A Data Breach Happen?
Data breaches can happen for a number of reasons. However, two root causes are:
- Mistakes or accidents. For example, an employee might send an email containing personal data to an unauthorised recipient due to an email address mix up.
- Malicious activity, such as a cyberattack.
We will go over each of these in their own section below. It is important to note that, in either instance, the data controller or the data processor could be liable to pay compensation.
A data processor acts on the instructions of a data controller. For example, an agency might process data for a data controller. If they didn’t provide sufficient security measures and caused a breach, they could be liable.
Accidental Data Breaches
In this category, data breaches happen due to error or oversight. An employee of the organisation, for example, may cause a personal data breach. Examples include:
- An employee accidentally emailing your personal data to somebody who is not authorised to have it.
- A lost or stolen laptop that had your data stored on it.
- A removable storage device such as an external hard drive or USB stick being thrown away, without destroying the data.
- Sending personal information in a letter addressed to an incorrect recipient who is unauthorised to view the personal data.
- Leaving a monitor switched on that is displaying personal data for anyone to read.
Malicious Data Breaches
Organisations should ensure that their computers and systems are secure from external tampering and access. Unfortunately, cybercriminals can find vulnerabilities and exploit data that isn’t properly protected. Examples of ways they might do this include:
- Trying to trick staff members into divulging login information in a phishing attack.
- Using spyware to steal sensitive data.
- Using ransomware to hold personal data to ransom.
Malicious data breaches don’t always have to be online, however. Personal data held on paper records could be accessed and exploited too. To find out more, contact our advisors.
How Can A Data Breach Cause You A Problem?
The next thing we need to cover before we look at how to report a data breach is the effect that a personal data breach can have on your life. We share our personal data with a wide range of bodies, from the Government to websites. We may also share sensitive data such as:
- Passport information
- Credit and debit card information (such as numbers, expiry dates and CVV codes)
- Bank account details (such as account number and sort code)
- Home address
- National Insurance number
- Driving licence details
- NHS patient number
- Phone number
And the list could go on. This information, if in the wrong hands, could be used nefariously. In a worst-case example, your identity could be stolen. The cybercriminal could:
- Buy things using your credit cards.
- Take out new loans.
- Take over your bank accounts.
- Open new bank accounts.
Once the cybercriminal has enough of your private data to make out they are you successfully, they could do real harm. You could not only suffer financially but mentally too. You may experience anxiety or depression.
Recovering From A Data Breach
Imagine waking up to find out that your identity had been stolen. A criminal may have emptied your bank account and made purchases to the limit of all of your credit cards. You could be heavily in debt. It could cause you to suffer emotional distress or psychiatric harm. Additionally, the process of dealing with the fallout and having your bank accounts changed could be very stressful.
You may be the victim of a personal data breach where you don’t endure any financial loss. However, you could still suffer psychologically. Alternatively, you may suffer financial loss without any symptoms of mental harm.
However you’ve suffered, it is important to try to recover from a data breach by:
- Changing your passwords if applicable
- Checking relevant areas that could be vulnerable, such as bank accounts
- Reporting the breach appropriately to the organisation
- Reporting the breach to the ICO (if necessary)
- Seeking the help of a professional therapist if you’re suffering mentally
If you suffered financially or psychologically due to a personal data breach, you could be able to claim data breach compensation. Get in touch with our advisors to find out more.
Before you report a data breach, you should try to discover how it occurred. If there has been a personal data breach that risks your rights and freedoms, the organisation should inform you. For example, they may send a letter or email advising you of the breach.
There are some indicators that your data has been accessed by criminals, such as:
- Receiving emails telling you your passwords have been changed.
- Phone calls from your bank querying large or suspicious transactions.
- Telephone calls from businesses confirming orders you didn’t place.
- Being sent SMS with one time use access codes that you didn’t request.
All of these are suspicious activities that could point to your data being accessed and used by cybercriminals. However, there are other kinds of data breaches that don’t result in financial loss and aren’t necessarily caused by criminals.
Breaches In Data Integrity
Organisations that process your personal data should ensure it is correct under the law. In some cases, incorrect data could have an adverse effect on your life. As an example, you discover such a breach if you apply for a loan and find that it is declined because there is incorrect data on your credit report. If you suffer financially or mentally because of this, the company that has stored the wrong data about you could be liable for compensation.
Data Breaches In Data Confidentiality
Part of learning how to report a breach of data protection is understanding why you need to make a complaint in the first place. Your personal data is, well, private. When you share it with an organisation, in many circumstances they are obligated to keep it secure, safe and confidential.
This means it should only ever be used for the purpose that it was provided for and should not be shared with a third party unless you give your consent or there is a lawful reason why the organisation doesn’t need your consent. However, mistakes can be made, and your data can be shared with the wrong parties. Or a successful cyberattack could breach confidentially.
You may know about a breach in data confidentiality if an unauthorised colleague at work, for example, advises you they received your annual salary uplift letter. If you ever suspect you’re the victim of a personal data breach but haven’t had confirmation, it is best to advise the organisation that potentially caused the breach directly.
Breaches In Data Availability
This is possibly the most difficult type of personal data breach to identify without a notification from the data controller or processor. That’s because, here, the breach relates to personal data that has been lost.
You may discover this has happened if you need to retrieve or access your personal data. After getting in touch with the data controller to access it, for example, they may advise you that they can’t find it, even though it was with them before and they’ve not destroyed it.
When an organisation loses your data, it can have mental and financial repercussions on your life. If it does, they could be liable to pay compensation.
Part of how to report a data breach under GDPR is knowing what types of data breaches can be reported to the Information Commissioner’s Office.
Organisations only have to report certain data breaches to you and the ICO. If the breach poses a likely risk to affected data subjects’ rights and freedoms, they should tell the ICO. (A data subject is someone whose data is processed by a data controller or processor.) They should also tell the data subject.
You would only report a data breach to the ICO if, after discovering you were the victim of one, you contacted the organisation responsible. If they didn’t appropriately respond, you could contact the ICO about the breach within 3 months of the organisation’s final reply. The ICO may then investigate, but undue delays in reporting can affect their decisions.
You can call our claims team for help if you are struggling to classify your own data breach and would like to know if you could report it.
When you make a complaint to the ICO, you should provide correct information about the personal data breach. You can report personal information concerns through their website.
The form will request information. You can provide:
- A description of the situation.
- How you found out the data breach, and when.
- Details about the people that the personal data breach has affected or will affect.
- Proof that you have contacted the organisation.
- What you have done in response to the data breach.
- The organisation’s contact details.
- Your contact details so that the ICO can follow up the complaint with you.
When it comes to how to report a data breach, there are different ways that you can ask for advice to submit a complaint to the ICO. And these are:
- You can call the ICO and ask for advice on how to make a complaint.
- During office hours, you can use the ICO live chat.
If you are ready to report a data breach, however, and have taken the appropriate steps beforehand, you can fill out an online personal information concerns form.
The ICO may not act on a complaint that you reported to them with undue delay. They would class undue delay as more than 3 months after the data controller sent you their final response.
However, your ability to make a compensation claim is not dependant on you first making a complaint to the ICO.
When it comes to how long you have to claim, the time limit will depend on the circumstances of your case. It will be either 6 years from the date you learned about the personal data breach, or 1 year from this date if your human rights were affected.
When you make a complaint to the ICO about a data breach, the ICO will take appropriate action. They may investigate and they may issue a fine to the organisation. They may even suggest changes in the organisation’s data protection processes. However, this is at their discretion and depends on varying factors.
To find out more about personal data breach claims, get in touch with our advisors. They’re available 24/7.
If you make a valid data breach claim, you could receive damages for psychological harm or financial loss (or both). In the case Vidal-Hall and others v Google Inc , a successful claim was made for psychological harm. You may be able to claim for the stress and trauma of dealing with a personal data breach, and of dealing with the aftermath.
Before this case, claimants could only seek compensation for psychiatric damage if they’d also suffered financial harm. The court heard that settlements made for psychological harm should be valued as they are in personal injury claims. Compensation for mental harm is known as non-material damages.
If you have lost out financially due to a data breach, you may also try to recoup some of this loss as part of your claim. For example, if your credit cards were taken to the limit by a cybercriminal, you could be able to claim this loss back. Compensation for financial loss is known as material damages.
If you seek compensation for psychological harm after you report a privacy breach, how much you could claim depends on the severity of the harm, as well as other factors. The compensation table below is based on figures from the Judicial College Guidelines. This is a publication solicitors may use to help them value injuries and conditions.
|Health Problem||How Bad Was It?||Possible Damages||Additional Notes|
|Mental harm||Moderate to severe||£17,900 - £51,460||In the category, we would need to include psychological harm that is moderate to severe. The cause could be something such as going through a very traumatic experience. Long term therapy would be required, and the victim will likely recover fully after a long period of time. Until then, the life of the victim would be negatively impacted quite significantly.|
|Mental harm||Moderate||£5,500 - £17,900||In the category, we would need to include psychological harm that is moderate. The cause could be something such as going through a very shocking experience. Therapy would be required, and the victim would recover fully after a period of time. Until then, the life of the victim would be negatively impacted only slightly.|
|Mental harm||Less severe||£1,440 - £5,500||In the category, we would need to include psychological harm that is less severe. The cause could be something such as going through a slightly shocking experience. Very little therapy would be required, and the victim will likely recover fully after a short period of time. Until then, the life of the victim would barely be affected.|
|Mental harm||Severe||£51,460 - £108,620||In the category, we would need to include psychological harm that is severe. The cause could be something such as going through repeated traumatic experiences. Long term therapy would be required, and the victim would not likely recover fully. Their life would potentially negatively affected permanently to some extent.|
In order to prove that you’ve suffered a worsened psychological state or your condition was fully caused by the breach, you’ll need to attend an independent assessment. The assessment would also prove the severity of your condition and you (or your solicitor, if you choose to use their services) can use the resulting report to value the mental harm.
If you can’t see your condition in the compensation table above, get in touch with our advisors. They offer a free estimation of how your psychiatric damage might be valued.
It isn’t necessary for you to use the services of a personal data breach solicitor. However, we believe that a good solicitor can be a great support. They can do the following:
- Cut through the legal jargon
- Build your case with you
- Explain what evidence you could use and help you prepare it
- Put you in touch with an independent medical professional
- Represent you in court (if the claim isn’t settled beforehand)
If you have a valid claim, we could put you in touch with an experienced data privacy lawyer who understands the process of making a data breach claim and can try to ensure you have the best chance of winning it.
You can call at any time of the day. We’ll answer your questions at no charge to you.
If you can prove that you suffered either mentally or financially because of a personal data breach, you could be able to make a No Win No Fee data breach claim. That means you don’t pay your lawyer a fee unless your claim has been won. You could also benefit from:
- No upfront solicitor’s fee to pay
- No solicitor’s fee to pay if you lose your claim
- Legal advice throughout your claim
- You only pay the solicitor’s fee once the compensation has come through
If you win your claim, you would have to pay your solicitor a success fee. However, this is limited by law. To find out more about No Win No Fee agreements, get in touch through any of the routes below.
Now you have learned how to report a personal data breach, are you ready to move on a make a compensation claim? All that you have to do is:
- Call our claims team on 0800 073 8804.
- Use our contact page.
- Email us at firstname.lastname@example.org.
- Use our live chat.
An expert advisor will evaluate your claim for you, and tell you what your next move could be. They’re available 24/7 and won’t oblige you to proceed with our services.
These websites all have information that you might find useful.
Also, these other guides could be worth reading over.
Thank you for reading our guide on how to report a data breach.
Written by Wheeler
Edited by Victorine