How To Report A UK GDPR Breach And Start A Claim

Has your personal data been compromised? Are you wondering how to report a UK GDPR breach?

How To Report A UK GDPR Breach And Start A Claim

How To Report A UK GDPR Breach And Start A Claim Guide

In this article, we will explain when to report and the process of reporting. We will also explore who to report a breach to as well as what compensation you may be eligible to receive.

To begin your claim today, we encourage you to contact our advisors for free legal advice. They can help understand if you have grounds for a claim and may connect you with our panel of No Win No Fee solicitors to begin the claiming process. Contact our advisors today by: 

Select A Section

  1. What Is A Reportable Breach Under The UK GDPR?
  2. When To Report A UK GDPR Breach
  3. How To Report A UK GDPR Breach
  4. Who Do You Report A UK GDPR Breach To?
  5. What Could You Claim For A UK GDPR Breach?
  6. Begin Your Claim For A Breach Of The UK GDPR

What Is A Reportable Breach Under The UK GDPR?

The UK General Data Protection Regulation UK GDPR is a piece of legislation that runs alongside the Data Protection Act 2018 and outlines the laws surrounding data protection regulations. The Information Commissioner’s Office ICO is an independent public body responsible for enforcing data protection laws.

When your personal information is processed you become a data subject, and your personal information is processed by entities. These entities include:

  • Data controller – The organisation that collects and determines the purpose of processing your data. 
  • Data processor – An external body used by a data collector to process your data on their behalf. 

Information that is personal to a data subject is protected by data security laws, not all information that is held by a data controller is protected this way. According to the ICO, a reportable data breach must be reported to them within 72 hours. If it affects the rights and freedoms of a data subject then it must be reported to the individual within 72 hours. 

When To Report A UK GDPR Breach

The UK GDPR and Data Protection Act 2018 outlines legislation to help data controllers and processors safeguard your data. Failure to keep your data secure could be grounds for a data breach claim. 

The UK GDPR applies a duty on organisations that they must report certain personal data breaches to the Information Commissioner’s Office (ICO). The ICO suggest that you should have a robust policy for detecting and investigating any potential data security incidents. This way you will know which data breaches need to be reported. 

When personal information is involved in a security incident whereby it may be stolen, altered, lost, disclosed, destroyed or accessed without authority and no lawful basis a personal data breach has occurred.

Personal information is any that can be used to identify you, name, email address, DOB, as well as information that can tell things about you. For example, the ICO created a list of special category data that can be considered high-risk information in data breaches, such as: 

  • Ethnic and racial origins
  • Political affiliations
  • Religions and philosophy
  • Trade Union membership
  • Genetic data
  • Biometric information
  • Health
  • Sexual orientation and activity 

Contact our advisors today for more information on when to report a UK GDPR breach. 

How To Report A UK GDPR Breach

In line with Article 33 of the UK GDPR, the entity in charge of protecting your data should gather the facts surrounding the breach to find out how it happened, what the effects will be and the action that will be taken. This specifically looks at the accountability principle within the principles of the UK GDPR. 

When reporting the breach to the ICO it may be a good idea to include:

  • Name and contact details
  • Breach date
  • Incident summary
  • The effect of the breach
  • Measures taken
  • Preventive steps you can take

The ICO provides multiple tools to report a breach from self-assessments to reporting a breach if you are an individual or a business or reporting a data security issue. 

For more information on how to report a UK GPDR data breach, contact our advisors today. 

Who Do You Report A UK GDPR Breach To?

If you suspect that your personal information has been involved in a data breach you can contact the party you think may have suffered the breach. You can ask if your data has been subject to a personal data breach, what information was breached and how they plan to deal with it. If you are not happy with the response from the data controller you can escalate your complaint internally. 

However, if you are not happy with the response wait no longer than 3 months from your last meaningful communication to report this to the ICO. The ICO may investigate. They cannot provide you with compensation but the investigation may help if you decide to make a personal data breach compensation claim.

Data controllers must report serious personal data breaches to the ICO within 72 hours. And advise the data subject without undue delay.

The ICO has a robust reporting process for data breaches and a complaint system. The ICO can investigate the origin of the breach and if they find compromised personal data they can penalise the data controller. That said, for you to have a valid personal data breach claim you must be able to show how the organisation failed in keeping your data secure. The data controller must be liable for the breaching of your personal information that led to you suffering harm as a result. 

What Could You Claim For A UK GDPR Breach?

In a personal data breach claim, you may be eligible to receive compensation if your claim is successful. Data breach compensation separates into material and non-material damages, which include:

  • Material damages – The physical damages suffered due to a data breach, may include compromising of financial data and identity impersonation. 
  • Non-material damages – It can negatively impact mental health resulting in psychological illnesses such as post-traumatic stress disorder (PTSD), anxiety, depression and paranoia. 

The Judicial College Guidelines (JCG) publish potential figures of compensation for your non-material damages as shown in the table below:

InjuryJCG Updated 2022 Bracket Amounts Notes
General severe psychological damage (a)£54,830 to £115,730Where the injured person's ability to cope with aspects of life and have relationships is markedly difficult. They may have sought treatment with little success, resulting in future vulnerability and problematic prognosis.
General moderately severe psychological damage (b)£19,070 to £54,830There will be significant problems stated in the above bracket, however, there will be a improvement in prognosis.
General moderate psychological damage (c)£5,860 to £19,070Where a considerable improvement has taken place and the prognosis has improved to a good level.
General less severe psychological damage (d)£1,540 to £5,860The awarded amount depends on the disability period and how much the damage affected daily activities and sleep patterns.
Severe PTSD (a)£59,860 to £100,670The injured person is permanently affected preventing them from working altogether, or at least to a pre-trauma level. All aspects will be detrimentally impacted.
Moderately severe PTSD (b)£23,150 to £59,860There is a distinct improvement from the above prognosis due to help from a professional, however, some disabilities remain for the foreseeable future.
Moderate PTSD (c)£8,180 to £23,150A large recovery has taken place and any continuing effects will not be overly detrimental.
Less severe PTSD (d)£3,950 to £8,180Where there has been a near-complete recovery within one to two years with minor symptoms lasting longer.

The Court of Appeal case Vidal-Hall v Google sent a precedent for individuals to claim non-material damages without proving financial loss. 

For more information on how to report a UK GDPR data breach that led to the exposure of personal data and what data breach compensation you may receive, get in touch with our advisors today. 

Begin Your Claim For A Breach Of The UK GDPR

If you would like to begin a personal data breach claim following a UK GDPR data breach, then you may find it helpful to contact our advisors for free and relevant legal advice to determine the validity of your case. 

Our advisors can forward it to our panel of No Win No Fee solicitors. A No Win No Fee arrangement is a common way to refer to particular legal agreements.

A Conditional Fee Agreement (CFA), which is the legal term for a type of No Win No Fee agreement can be used to fund the services of your solicitor. 

Detailed in the CFA is the success fee you would pay the solicitor when your claim succeeds. The fee is a small, lawfully-capped percentage of your compensation. 

You can get in touch by: 

Find Out More About How To Report A UK GDPR Breach

Please see our other informative articles:

Data Breach Compensation Examples – What Could You Claim?

Can I Claim For A Data Breach If My Personal Data Was Not Locked Away Or Secured?

Data Subject Rights Following A Breach Of Data Protection – Data Breach Compensation UK Law

We have also provided some helpful external links:

ICO – Data security incident trends

MIND – Mental Health

ICO – Make a complaint

Please contact our advisors for more information on how to report a UK GDPR data breach today.

Writer KO

Checked by IE.