The short answer to this question is yes. The GDPR was introduced in May 2018 to ensure personal data is not misused, destroyed, disclosed, or lost. So, if you think your data has been treated in this way and not fully protected you have the right to sue a company and receive compensation for the data breach.
Data breach compensation
Under GDPR law if a company that is holding your data suffers a data breach, you could be entitled to claim data breach compensation if you have experienced some form of a loss as a result. Or if you have suffered with mental health symptoms like anxiety or emotional distress because of your data being breached.
It can be difficult to know if your personal data has been breached sometimes as every situation is different. You will know it is a data breach if your personal data is lost, destroyed, accessed, or disclosed in an unauthorised way whether that is deliberate or by accident by someone inside or outside the organisation. Data breaches can involve:
- Personal health information
- Medical documents
- Social services documents
- Financial information
- Sensitive, protected, or confidential information
Who can you claim against for a breach of data protection?
You can make a claim for a data breach against an individual or an organisation either in the public sector, private sector, or charitable sector. In some cases, there can be more than one defendant. Usually, GDPR claims and data breach claims are settled out of court, but each situation is different.
How much can you claim in data breach compensation?
The amount of compensation you can get will depend on the type of data breach and how it has impacted your life both financially and mentally. The law in this area is currently under development and the courts are yet to provide any specific guidelines on what will be awarded to data breach claimants. However, damages awarded in employment discrimination cases can offer some guidance on the subject and is divided into three bands.
- £900-£8,600 for less serious cases where the incident was just a one off, for example:
– Disclosure of an individual’s name, date of birth, home address, and email address, £1,000-£1,500
– Disclosure of information linked to a medical data breach, £2,000-£5,000
– Disclosure of financial information, £3,000-£7,000 depending on the effect of the breach
- £8,600-£25,700 for a breach that is more serious than the first band.
- £25,700-£42,900 if there has been a protected pattern of default, which has caused depression or other illnesses. Medical evidence would be required to support this alongside evidence to back up any other losses such as earnings.
What happens if the organisation doesn’t pay the compensation?
If you have a strong case against an organisation for a data protection breach and they are refusing to pay the compensation you next step would be to make a claim in court. The court would decide your case and if it agreed with you it would decide whether or not and how much if applicable it would have to pay you in compensation. It is strongly recommended that you take independent legal advice on the strength of your case prior to taking any claim to court. We can help put you in contact with experienced data breach solicitors who can discuss with you whether your case is worth pursuing. Get in touch with us today to find out more.
Who should you inform of a possible data breach?
Data breach cases are not always straightforward and can require a bit more digging to get all the key details. If you suspect a data breach has occurred it is recommended that you contact the Information Commissioner’s Office (ICO), the UK’s data protection regulator and supervisory authority for GDPR compliance. The ICO can investigate the incident and determine if an organisation is at fault for the breach. This can be quite a slow process, but it can lead to an increased chance of a successful compensation claim. The ICO does not award compensation, to get compensation you need to make a claim against the organisation who breached your data.
However, a significant fine or a factual report from the ICO that the organisation in question is responsible for the data breach will be extremely valuable in your claim. You are not required to contact the ICO or wait for its investigation to end before you make a claim, you can bring a case against a company directly without involvement from the ICO. It will be more beneficial however to go through the ICO first to help strengthen your case.
What should you do if you are notified that your data has been breached?
- Change your passwords
If your data has been breached and you use similar log in information like usernames and passwords for other websites or online accounts, you should change those details straight away.
- Keep an eye on your bank accounts and credit report
You might want to watch your bank accounts and other online accounts closely over the next few months, particularly if you think or know that the breach involved financial details or other details the hacker could use to commit identity fraud. If you see anything unusual you should contact your bank immediately and explain that you have been a victim of fraud. Also, it is important to check your credit report to ensure credit isn’t taken out in your name.
- Be aware of scams
If you are contacted over the phone asking for personal details or passwords you should take steps to check their true identity. Ask them to give you details that only the company they claim to be calling from would know. For example, details of your service contract or how much you pay per month. Keep in mind that scammers could have access to more of your personal information than seems normal. So, if you are suspicious of the caller, hang up the phone, look up the company’s phone number, and ring them for yourself.