How To Report A UK GDPR Breach And Start A Claim

By Lewis Aaliyah. Last Updated 3rd February 2023. Has your personal data been compromised? Are you wondering how to report a UK GDPR breach?

How To Report A UK GDPR Breach And Start A Claim

How To Report A UK GDPR Breach And Start A Claim Guide

In this article, we will explain when to report and the process of reporting. We will also explore who to report a breach to as well as what compensation you may be eligible to receive.

To begin your claim today, we encourage you to contact our advisors for free legal advice. They can help understand if you have grounds for a claim and may connect you with our panel of No Win No Fee solicitors to begin the claiming process. Contact our advisors today by: 

Select A Section

  1. What Is A Reportable Breach Under The UK GDPR?
  2. When To Report A UK GDPR Breach
  3. How To Report A UK GDPR Breach
  4. Who Do You Report A UK GDPR Breach To?
  5. What Damages Can You Claim For UK GDPR Breach?
  6. Begin Your Claim For A Breach Of The UK GDPR

What Is A Reportable Breach Under The UK GDPR?

The UK General Data Protection Regulation UK GDPR is a piece of legislation that runs alongside the Data Protection Act 2018 and outlines the laws surrounding data protection regulations. The Information Commissioner’s Office ICO is an independent public body responsible for enforcing data protection laws.

When your personal information is processed you become a data subject, and your personal information is processed by entities. These entities include:

  • Data controller – The organisation that collects and determines the purpose of processing your data. 
  • Data processor – An external body used by a data collector to process your data on their behalf. 

Information that is personal to a data subject is protected by data security laws, not all information that is held by a data controller is protected this way. If a company is liable for a UK GDPR breach, reporting it to the ICO is necessary. Under the UK GDPR, they must report the data breach to the ICO within 72 hours. If it has affected the rights and freedoms of a data subject, they must be notified without due delay.

When To Report A UK GDPR Breach

The UK GDPR and Data Protection Act 2018 outlines legislation to help data controllers and processors safeguard your data. Failure to keep your data secure could be grounds for a data breach claim. 

The UK GDPR applies a duty on organisations that they must report certain personal data breaches to the Information Commissioner’s Office (ICO). The ICO suggest that you should have a robust policy for detecting and investigating any potential data security incidents. This way you will know which data breaches need to be reported. 

When personal information is involved in a security incident whereby it may be stolen, altered, lost, disclosed, destroyed or accessed without authority and no lawful basis a personal data breach has occurred.

Personal information is any that can be used to identify you, name, email address, DOB, as well as information that can tell things about you. For example, the ICO created a list of special category data that can be considered high-risk information in data breaches, such as: 

  • Ethnic and racial origins
  • Political affiliations
  • Religions and philosophy
  • Trade Union membership
  • Genetic data
  • Biometric information
  • Health
  • Sexual orientation and activity 

Contact our advisors today for more information on when to report a UK GDPR breach. 

How To Report A UK GDPR Breach

If you want to report a GDPR breach under UK legislation, this section looks at how to report a UK GDPR breach. Reporting a UK GDPR breach could be done in a variety of ways.

Initially, if you become aware that your data has been breached, you should alert the organisation that is responsible. By doing this, you can potentially settle the matter privately. Make sure you write up your complaint, as this can provide crucial evidence further down the line should you make a claim for data breach compensation.

After the organisation responds, if you are not satisfied, you may report the incident to the ICO but must do so within three months of your last contact with the organisation. The ICO may not take action if you fail to make the complaint within this time frame.

Your report should contain a summary of the personal data breach, the impact on you and any communications you have had with the organisation. It would be useful to include why you were unhappy with their response too.

The ICO may then investigate the faulting organisation and can decide whether to offer them advice or impose a financial penalty. Although the ICO cannot offer data breach compensation to you, their findings may be used as evidence for your claim.

Get in touch for free advice on reporting a GDPR breach. Our advisors could connect you with our panel of data protection solicitors.

UK GDPR Claim – What Are The Time Limits Involved?

Following a breach of UK GDPR, a claim may be put forward if your personal data was exposed and you suffered harm or loss as a result. However, you should be aware of how long you have to report a data breach and to claim for the one that’s relevant to you case.

The limitation period to start a data breach compensation claim is typically six years, but one year if claiming against a non-public body.

There might be exceptions to the time limit. Get in touch and we can discuss in further detail for free. Additionally, we could connect you with a data protection solicitor from our panel.

Who Do You Report A UK GDPR Breach To?

If you suspect that your personal information has been involved in a data breach you can contact the party you think may have suffered the breach. You can ask if your data has been subject to a personal data breach, what information was breached and how they plan to deal with it. If you are not happy with the response from the data controller you can escalate your complaint internally. 

However, if you are not happy with the response wait no longer than 3 months from your last meaningful communication to report this to the ICO. The ICO may investigate. They cannot provide you with compensation but the investigation may help if you decide to make a personal data breach compensation claim.

Data controllers must report serious personal data breaches to the ICO within 72 hours. And advise the data subject without undue delay.

The ICO has a robust reporting process for data breaches and a complaint system. The ICO can investigate the origin of the breach and if they find compromised personal data they can penalise the data controller. That said, for you to have a valid personal data breach claim you must be able to show how the organisation failed in keeping your data secure. The data controller must be liable for the breaching of your personal information that led to you suffering harm as a result. 

What Damages Can You Claim For UK GDPR Breach?

If you have evidence that an organisation breached your personal data, you may be eligible to claim compensation. However, it is important to note that you do not need to report a UK GDPR violation in order to make a claim.

You could make a claim for material and non-material damage following a breach of your personal information.

Material damage refers to any of the financial losses you have suffered due to the personal data breach. For example, a bank data breach could see your banking and credit card information compromised. This could lead to someone stealing money from your bank account or making unknown charges to your card. Providing evidence of these financial losses could help support your claim, such as your bank statements.

Non-material damage refers to the psychological harm you may have suffered due to the personal data breach. This could be anxiety, post-traumatic stress disorder or depression.

Using the figures listed in the 16th edition of the Judicial College Guidelines (JCG) we have created the following table to help you understand how much you could receive for your non-material damage. Many legal professionals will use the JCG to help them value claims, as it assigns compensation brackets to various mental and physical injuries.

Please only use this table as a guide.

Type of Harm Notes Amount
Severe general psychological damage (a) Where the injured person’s ability to cope with aspects of life and have relationships is markedly difficult. They will also receive a poor prognosis. £54,830 to £115,730
Moderately Severe general psychological damage (b) The person will suffer with significant problems, however, there will be a improvement in prognosis. £19,070 to £54,830
Moderate general psychological damage (c) Where a considerable improvement has taken place and the prognosis is good. £5,860 to £19,070
Less Severe general psychological damage (d) The awarded amount depends on the disability period and how much the damage affected daily activities and sleep patterns. £1,540 to £5,860
Severe anxiety disorder (a) The injured person is permanently affected preventing them from working altogether, or at least to a pre-trauma level. All aspects will be detrimentally impacted. £59,860 to £100,670
Moderately severe anxiety disorder (b) There is a better prognosis with room for recovery with help from a professional, however, some disabilities remain for the foreseeable future. £23,150 to £59,860
Moderate anxiety disorder (c) A large recovery has taken place and any continuing effects will not be overly detrimental. £8,180 to £23,150
Less severe anxiety disorder (d) Where there has been a near-complete recovery within one to two years with minor symptoms lasting longer. £3,950 to £8,180

Contact our advisors today for free legal advice concerning your potential claim. They could also help answer any questions may have, such as how to report a data protection breach in the UK.

Begin Your Claim For A Breach Of The UK GDPR

If you would like to begin a personal data breach claim following a UK GDPR data breach, then you may find it helpful to contact our advisors for free and relevant legal advice to determine the validity of your case. 

Our advisors can forward it to our panel of No Win No Fee solicitors. A No Win No Fee arrangement is a common way to refer to particular legal agreements.

A Conditional Fee Agreement (CFA), which is the legal term for a type of No Win No Fee agreement can be used to fund the services of your solicitor. 

Detailed in the CFA is the success fee you would pay the solicitor when your claim succeeds. The fee is a small, lawfully-capped percentage of your compensation. 

You can get in touch by: 

Find Out More About How To Report A UK GDPR Breach

Please see our other informative articles:

Data Breach Compensation Examples – What Could You Claim?

Can I Claim For A Data Breach If My Personal Data Was Not Locked Away Or Secured?

Data Subject Rights Following A Breach Of Data Protection – Data Breach Compensation UK Law

We have also provided some helpful external links:

ICO – Data security incident trends

MIND – Mental Health

ICO – Make a complaint

Please contact our advisors for more information on how to report a UK GDPR data breach today.

Writer KO

Checked by IE.