Guides & articles What can you claim data breach for?

Peter Hammond I am a solicitor who has specialised in data breach compensation claims.

Following the GDPR legislation if an organisation that is holding your data suffers a breach, you could be entitled to claim compensation if you have experienced some form of loss as a result whether that is financial or emotional stability or both. A data breach is when personal data being held is lost, destroyed, accessed, or disclosed in an unauthorised manner whether it is by accident or deliberately by someone inside or outside of the company.

A data breach can involve:

  •       Personal health information (PHI)
  •       Medical documents
  •       Social services documents
  •       Financial information or bank details
  •       Sensitive, protected, or confidential information


Can you claim compensation for a breach of data protection?

You have the right to claim compensation for data protection breach due to GDPR if you have suffered as a result of an organisation breaking the data protection law whether accidentally or intentionally. The organisation might agree to pay compensation to you without involvement from the ICO (the UK’s data protection regulator and supervisory authority for GDPR compliance) so do you won’t need to make a legal claim.

If you believe your personal data has been breached and you have experienced distress or loss you could be able to claim. However, data breach cases are not always simple and straightforward. It is advisable to contact the Information Commissioner’s Office (ICO) as they can investigate the incident and determine if an organisation is at fault for the data breach. This process can be quite slow, but it can be extremely beneficial to a compensation claim.

It is important to remember that the ICO does not award compensation, to get compensation you need to make a claim against the organisation who breached your data. You don’t have to contact the ICO or wait for its investigation to be completed, you can bring a case against an organisation directly without involving the ICO. However, it will make your case stronger and more likely to be successful if they find there is a breach.


What compensation can you get with a data protection claim?

Financial loss

A data breach can result in both financial and/or identity theft, either of which can have a big impact on your life and be highly upsetting. If they have enough information a cybercriminal can apply for credit in your name, access your bank account, and set up new fraudulent bank accounts.


If you have not been financially impacted by a data breach that does not mean it hasn’t affected you in some way. Having your personal information stolen can leave you at risk of phishing attacks and other attempts by the cybercriminals to access more of your data.

A personal data breach is like the online version of having your home burgled. That is to say if a criminal came into your home and stole your personal information you would be emotionally distressed and feel vulnerable and nervous about what they could do with that information. So, why would you feel any differently if your data were breached online?

Being the victim of a crime can have a significant effect on your life both mentally and physically. Naturally, everyone will react in a different way, but some people could experience a lack of sleep and feeling ill, unsettled, or confused. This added stress can also impact your family, friends, and your job as the distraction and weight on your mind could impact your day-to-day functioning and moods.


Common data protection claims

Over the years the most common data breaches happen in service-based industries where there is direct contact with the public. For example, mobile phone networks, tech firms, retailers, and banks have all been in the headlines due to data security breaches. Data protection claims can be made in situations that include:

  •       Your privacy has been compromised as part of a whistle-blowing operation
  •       Where your personal information has been mishandled or misused
  •       Your personal data has been victim of a cybercrime
  •       Your data has been inadvertently leaked or lost
  •       An organisation has broken the law by using your information for journalism, artistic, marketing, or literary purposes without your permission
  •       Corporate claims where organisations have had their company data leaked such as banking information, business plans etc
  •       Your personal data has been shared with a third party without your permission
  •       An organisation has failed to keep up to date and accurate information about you and it has caused you damage


Are you owed compensation for data protection negligence?

You can claim compensation if an organisation has failed to keep your data secure, regardless of whether you have suffered or not as a result of the breach. However, if you have experienced financial, medical harm, distress, or anxiety it can make a more substantial case.


What steps can you take to claim compensation?

1) Contact the company that lost your data

If you have suffered loss or distress due to your data being compromised, the first thing you should do is contact the company you think is responsible if they have not already contacted you about a breach. You should outline what distress and/or loss you have experienced and how you expect to be compensated.

 2) Voice your complaint to the ICO

You can also take your concerns about how the organisation has stored and processed your data to the ICO. The ICO cannot give advice on the amount of compensation that should be due, even if they determine that the organisation did breach the GDPR. However, as previously mentioned its opinion can be very influential and useful in your claim against an organisation that has breached your data.

 3) Go to the small claims court

If you can’t reach an agreement with the organisation that breached your data regarding whether you are due compensation and the amount, you can make a claim through the small claims court. If you do opt to go down this route a good piece of evidence to take to the court is the ICO’s agreement with you that the GDPR was breached by that organisation.


How to find out if you have been part of a data breach?

By law, any organisation that has experienced a data breach where your data has been affected is required to contact you and inform you that they have breached your data. If the company is public and the data breach is quite large scale the ICO will usually report the breach on their website too with all the factual details and findings from their investigation.


A lot of people might think that you can only make a data protection claim if you have experienced financial loss, but this is certainly not the case. A personal data breach can cause a great deal of stress and anxiety as well as the feeling of betrayal and disappointment that a company has not sufficiently protected your data depending on what information was accessed. You are entitled to compensation for the mental impact a data breach has had on your life and the inconvenience it causes not just any financial loss. 

Guides & articles My Data Has Been Breached, What Do I Do Next?

Peter Hammond I am a solicitor who has specialised in data breach compensation claims.
my data has been breached, what do I do next?

Whether your privacy has been violated through a criminal cyber attack or by an entrusted organisation, you have the full right to get compensation under the law.

The more technology advances and cybercrime increases, the stricter data protection regulation becomes. In 2018, the DPA was introduced in the UK to complement the GDPR’s work. Both serve to protect people’s cyber privacy every day. 

Data Breach Claim is established to help you compensate for any data breach act that has affected you. In this article, we’ll address all the questions that may come to your mind after you’ve been subject to a data breach.

Data Breach Claim — When Am I Entitled to Compensation?

You have the right to legally claim financial compensation for any intentional or unintentional action taken that involves using your personal data. According to the GDPR and DPA, whether your data has been maliciously or accidentally misused, disclosed, altered, or hacked, you are entitled to compensation.

All of the following incidents are considered data breaches:

  • Identity theft or fraudulent use of data
  • Health/Medical Care data leakage
  • Unauthorised access to private data on a lost or stolen device
  • Unauthorised selling or mistakenly sending your data to a third party
  • Loss of data by the entrusted organisation
  • IT security system breach of the organisation that holds your data
  • Financial data disclosure to a third party
  • Unauthorised login or disclosure of login information

I Had an Insignificant Data Breach. Is a Compensation Claim Still Valid?

Don’t belittle any violation of privacy, no matter how insignificant it may seem. You’d be surprised how many people dismiss such acts, only to endure harsh consequences in the future. Not protecting the security of your data now may result in unethical behaviours, like compromise or defamation.

There are certain types of data that are categorised as special data under data protection regulation. These personal data are sensitive; here’s a brief list of them.

  • Genetic data
  • Physical or mental health records
  • Race or ethnic background
  • Political affiliation
  • Religious or philosophical beliefs
  • Criminal records
  • Biometric data (Face/iris/voice/fingerprint recognition)
  • Trade union memberships

Is It Too Late to Make a Data Breach Compensation Claim?

In the UK, unless you’re filing your claim within six years since the data breach had happened, it’s not too late. It’s always advisable to make your claim as soon as possible, though.

I/My Loved Ones Have Suffered Emotionally/Mentally. Is It Still Possible to Get Compensation?

Absolutely! You’re eligible to file for a data breach compensation for any inconvenience caused, even if you’ve only gone through emotional distress. Being a victim of such an incident takes a toll on you and your loved ones. With our help, rest assured that you can get compensation for both material (e.g. economic loss) and non-material damage.

Data Breach Claim offers top-notch service with a team who’s confident of winning you compensation, even for non-material damage. We first evaluate your case and give you feedback on whether we think it’s a compensation winner. Then, our legal team works to refer you to a data breach solicitor that’ll get your compensation.

Does a Data Breach Compensation Entail Going to Court?

The first step, which saves cost and time, is to settle compensation with the organisation outside court. With a proven data breach, an organisation usually saves its reputation and litigation expenses by settling payment with the afflicted party. 

However, this may not always be the case, and this is when we extend to you our expert hand to guide you and recommend to you the best specialists who can aid you.


What’s the First Thing I Should Do After a Data Breach?

Your initial action should be to protect the rest of your data to ensure no further data breach is made. The next step should be looking into how your data has been breached, then seeking help on your case for compensation.

Here are detailed steps you should take once you’re aware of the data breach.

  1. Change all of your login information. Check your passwords/codes’ strength and activate multi-factor authentication options, such as verification codes or security questions.
  2. Keep a record of any notifications you receive concerning a data breach and any correspondences made concerning that matter.
  3. Find out exact details on what type of data has been breached and how.
  4. Direct contact with the offender: It’s always advisable that you initiate making a compensation claim by attempting to sort it out with the offender organisation
  5. Under no circumstances should you agree to sign any papers that urge you to forgo your rights as victims of the data breach.

My Data Has Been Breached. How Can I Make a Claim?

There are some steps you can take to make a claim after you’ve been subject to a data breach. Check them out here.

Contact the ICO

If you fail to reach an agreement with your offender, it’s best that you first correspond with the ICO to make sure your case follows UK’s data protection regulation in compliance with the GDPR and DPA. 

What Does the ICO Do?

The ICO is the Information Commissioner’s Office, a UK independent body of authority designated for protecting privacy rights and the implementation of data protection regulation. 

The ICO offers filing complaints about data breaches by individuals and organisations. Your case is then assessed, and they get back to you with their judgement on whether a real violation of data protection regulation has been made or not.

The ICO investigates your claim and gives you credible evidence to present to the offender organisation for a compensation settlement. Their feedback on your case also poses as an official statement of the data breach to the court. This solidifies your compensation claim. 

When filing a complaint to the ICO, according to the GDPR, you must submit the following:

  1. Details on the nature of the data breach:
  2. The name and contact information of the reported organisation (or their Data Protection Officer, if present) for further investigation
  3. A statement of the possible consequences of the data breach for the affected parties
  4. Details on what actions have been taken on your part, or the proper steps you would like the ICO to take concerning your data breach case. Plus, any required actions implemented to alleviate any possible threats or detrimental consequences.

Please note that it’s in the ICO’s ability to charge the offender organisation with a fine for the violation. Still, they don’t have the authority to provide you with legal advice or compensation.

Moreover, the ICO has the right to receive a commission to investigate your case upon your compensation receipt.

Contact Data Breach Claims

We have confidence the team of specialists we introduce you to will do their best to guide you to win your data breach compensation claim. We seek to make our clients reap maximum gains from their material and non-material losses by referring them to the right kind of competent help.

Taking action yourself by directly contacting the organisation to settle a compensation may not be the best idea. Individual claims may end up disregarded altogether. Even worse, you may fall into dispute with them or receive a negligible settlement compensation.

You must hold onto any documents pertinent to your data breach, and any communication made with the notifier organisation. Also, look for any suspicious behaviour on your accounts, like phishing emails or threats. Any piece of information related to your data breach can make a significant difference for our references in winning your case.

How Much Compensation Will I Get for a Data Breach?

Every data breach case is different from the other regarding the specifics concerning the circumstances of the breach and how much damage has occurred. 

This depends on factors such as:

  • Nature of breached data, whether sensitive or not
  • Nature of damage to the victim, material or non-material
  • Length of time data was breached
  • Number of times data was breached
  • Number of people who violated the data


Is There Anything Else I Should Do Besides File a Claim?

Yes, there are other essential aspects you should put into consideration besides making a compensation claim.For one, you’re liable for ensuring that the data breach details reported to or discovered by you are accurate and true.

Additionally, there may be other organisations that should be informed about the breach as soon as you’ve confirmed it. Some noteworthy examples include the police, National Cyber Security Centre (NCSC), and credit card issuers.

Lastly, take preventative measures to make sure such an incident doesn’t happen again.

How Will You Help Me With My Compensation Claim?

Our main aim is to help you fight for your right to receive compensation for a breach to your private information. To most people, going through such a process is something they’re not ready for, and they may even abstain from going through with this altogether. This is where you leave it to us.

We’ll put you in touch with experts who will assess your case and get back to you with feedback on whether they think your case qualifies for compensation. The advisors will direct you on what to do next and help to look into your case. Any further communication with the offending organisation will be made through our professional bodies.

The Verdict

Breaching people’s privacy always comes with a cost; some people suffer emotional damage and many others who suffer economic loss. Nothing that violates people’s rights goes dismissed under the law.

Remember that breaching your data is liable for compensation, and you have the right to fight for it. With Data Breach Claims, your data breach case is in the best hands.

Guides & articles What happens when there is a data breach?

Peter Hammond I am a solicitor who has specialised in data breach compensation claims.
what happens when there is a data breach?

What should a business do when it has been breached?

When a company or organisation discovers there has been a data breach they have a duty under the GDPR to report it to the relevant supervisory authority. It is expected that this is done within the first 72 hours of becoming aware of the breach if it is feasible. Also, if the breach is likely to have a high risk of negatively affecting individuals’ rights and freedoms they must also be informed as soon as possible.

It is important to make sure there is effective breach detection, investigation, and internal reporting procedures in place. This will help to determine whether or not you need to notify the relevant supervisory authority or the affected individuals or both. Whether you are required to notify the authority about the breach or not you must keep a record of any data breaches that occur in your organisation.

What should individuals be told when there is a breach?

The UK GDPR states that when a breach is likely to be a high risk to the rights and freedoms of individuals you must inform those directly affected straight away if possible without any delay. ‘High risk’ means it is a higher requirement to inform the individuals than it is the ICO. To make that decision you will need to assess the severity of the potential or actual affect on individuals as a result of a breach and the likelihood of this occurring.

If a data breach is severe, the risk is higher, meaning that the potential consequences for individuals could be highly significant. If you are an organisation responsible for people’s data, in these circumstances, you need to quickly inform those impacted, especially if there is a need to mitigate an immediate risk of damage to them. One of the main reasons to tell individuals is to help them take steps to protect themselves from the effect of the breach.

When telling someone about a data breach you need to describe in clear and plain language the nature of the personal data breach and at a minimum:

  •       The name and contact information of any data protection officer you have, or another point of contact where further details can be obtained.
  •       A description of the consequences that are likely to occur from the data breach.
  •       A description of the measures that have been taken or suggested to deal with the data breach and where appropriate, a description of the measures taken to reduce any potential adverse effects on the individual.

Also, if possible, you should offer clear and specific advice to people on the steps they can take to protect themselves and what you can do to help them. Depending on the situation this could include things like:

  •       Forcing a password reset
  •       Advising people to use strong and unique passwords
  •       Letting them know to look out for fraudulent activity on their accounts or possible phishing emails


What other steps should a company take when responding to a data breach?

As previously mentioned it is extremely important to record any and all breaches regardless of whether or not they need to be reported to the ICO. The GDPR requires you to document the facts of the breach, its effects, and the action taken to remedy the situation. This is part of your overall obligation to comply with the accountability principle and allows the verification of the organisation’s compliance with its notification duties under the GDPR.

Like with any incident that is related to security you should investigate whether or not the breach was caused by human error, a systemic issue, or a cyber crime and see how this can be prevented from recurring in the future. Recent statistics have shown that human error is the leading cause of reported data breaches. The risk of this can be reduced by:

  •       Compulsory data protection induction and refresher training
  •       Supervising and offering support to employees until they are proficient in their role
  •       Keeping policies and procedures up to date so employees can report any cases of a near miss
  •       Working to the idea of “check twice, send once”
  •       Promoting a culture of trust, employees should feel comfortable and able to report near misses
  •       Looking at the root causes of breaches and near misses
  •       Protecting your employees and the personal data your organisation is responsible for. This might include restricting access to systems or implementing organisational and technical measures such as disabling autofill


What happens if a company fails to notify the ICO of a serious data breach?

Failing to notify the ICO when you are required to do so can lead to a substantial fine of up to £8.7 million or 2% of your global turnover. That is why it is important to make sure you have a robust breach-reporting procedure in place so you can detect and notify breaches, on time and to provide the necessary details, unless the data breach is unlikely to result in a high risk to individuals. If you decide you don’t need to report the breach, you need to be able to justify that decision, so you should document it in detail.


What to do if your data has been breached

If you have received a notification from a company that your data has been affected, here are some useful steps you can take.

  •       Change all your passwords straight away
  •       Determine from the company what type of information was compromised in the breach
  •       Contact your bank or credit card company if your financial details have been breached
  •       Find out what help and guidance the company is offering and accept what they offer, this could be free credit reports or identity theft protection for instance
  •       Monitor all of your accounts closely
  •       Be aware of scams
  •       Pay extra attention to your inbox and be careful what you click on as you could be targeted with phishing emails after the breach
  •       Use two-factor authentication where possible

·        To further protect yourself in the future don’t use the same passwords between different accounts and try to make them as unique as possible

Check free if you're owed an average £4,000 refund

Start My FREE Data Breach Claim 100% Safe & secure, no win no fee check