Guides & articles What is a Breach of GDPR in the UK?

Peter Hammond I am a solicitor who has specialised in data breach compensation claims.
what is a breach of GDPR in the UK?

Regardless of a company’s data security measures, there can never be 100% certainty that it is totally safe from a data breach. Companies need to know how to recognise, deal with, and report a data breach as soon as it happens, as this will help them avoid many of the unnecessary complications. 

The General Data Protection Regulation is a law on data protection that has been applied since 2018 to govern the sharing and handling of data. The regulation acts as a regulator to protect against data breaches, issuing notices, and forcing penalties in case of a confirmed violation. So, what is a breach of GDPR in the UK? Keep on reading to learn more about this topic. 

What is a Breach of GDPR in the UK?

A breach of GDPR refers to any case of breach of security that leads to the accidental or unlawful loss, destruction, alteration, unauthorised disclosure of or access to personal data. However, there are several different types of data breach, and companies need to deal with them depending on their severity and their likelihood of affecting the security of the involved people or parties. 

The Information Commissioner’s Office (ICO) is an independent regulatory office in charge of upholding information rights in the public’s interest. According to law, an organisation is supposed to report a breach within 72 hours, when feasible, to allow the regulatory body to take adequate action. If the breach is likely to affect the safety, privacy, or well-being of individuals’ rights or freedom, the organisation should also notify them of the breach as soon as possible. 

Organisations are required to have an action response to a data breach, with a need to have a proper data breach detection, investigation, and reporting system in action. This helps them determine the severity of the breach, and whether they need to inform the ICO, involved individuals, or both. 

Examples of UK Data Breaches

The GDPR helps companies and organisations understand the importance of protecting data. However, there are still some cases of data breaches that could have been avoided if organisations took the right measures to protect their data. Here are some of the most significant cases of data breaches in the UK. 

Morrisons Supermarket

Morrisons represents the UK’s fourth-biggest supermarket chain, and suffered from a huge data breach in January 2014, when one of its employees uploaded the personal data of more than 100,000 employees on a public file-sharing website. 

The employee was a senior IT auditor and was subjected to an unrelated disciplinary action, so he downloaded the payroll details of more than 100,000 employees on a USB and uploaded the data on a public file-sharing website, sharing the employees’ bank accounts and salaries. 

As a result, thousands of employees filed for compensation and were awarded compensation pay-outs. Although the preliminary ruling stated that the company wasn’t directly liable for the breach, Morrisons lost about £2 million because of this incident. The employee was sentenced to serve eight years in prison. 

Wonga Loans

In 2017, the leading payday loan firm suffered from a huge data breach that affected about 245,000 customers in the UK and 5,000 customers in Poland. The leaked data included phone numbers, addresses, bank account numbers, and codes. 

Although the breach’s cause wasn’t accurately determined, experts state that it was because the company wasn’t 100% compliant with data protection laws. The attack was probably launched by some cyber criminals in Asia who wanted to steal bank cards’ details for online shopping. 

The breach happened on a Tuesday, but the company chose to remain silent for several days, an action that currently violates the GDPR. Wonga Loans agreed to pay compensation of more than £2.6 million to more than 45,000 customers. 

How is GDPR Affected by the UK Leaving the EU?

After leaving the EU, there was a transition period until the end of 2020, allowing the UK to come up with new regulations to deal with data protection. Until the end of the transition period, the GDPR was applied, and companies complied to its rules.

Starting from January 2021, the transition period has ended, but the EU GDPR is still in action, as the UK GDPR which incorporates the EU GDPR with the UK data protection law. The UK government has the freedom to keep the framework under review, with minor changes to core data protection principles and obligations. 

For organisations operating in the European Economic Area or EEA, their company might still operate under the EU GDPR. This will also apply if they deal with European organisations that send them data, so they might need to make sure that the transactions are in line with the UK GDPR. 

How Can You Prepare for a Data Breach?

Taking security measures can help companies avoid a data breach. Here are some tips that a company should follow to protect its data. 

  • The organisation’s personnel understand what a data breach is. 
  • Employees understand that a data breach involves more than the loss or theft of data.
  • There’s a precise plan that can help the company deal with a breach as soon as it happens. 
  • The staff knows how to escalate an incident without delay. 

How Can An Organisation Assess a Data Breach?

There are several ways that an organisation can assess the severity of a data breach in their company. According to these measures, they’ll be able to decide whether they need to report the breach to the ICO, individuals involved, or both. 

  • Take the self-assessment test to identify the severity of the breach. 
  • If the company is subject to the Privacy and Electronic Communications Regulations or PECR, where members of the public are allowed to send electronic messages, the breach should be reported. 
  • Data involving ID numbers and credit card numbers usually involve a higher risk to the individuals involved. 
  • Study the consequences of the data breach. If the lost or altered data can be related to identity theft or other types of fraud, the data is considered to be of high-risk. 

How Can Companies Respond to a Data Breach?

If a breach has been confirmed, here is what an organisation can do. 

  • The company has a process to help identify and assess the risk to individuals because of the data breach. 
  • There’s an efficient system to notify individuals of the breach of their data. 
  • The company knows how to report the breach to the concerned authorities within the specified time period. 
  • The company can provide advice to individuals affected by the breach. 
  • The company keeps a record of all data breaches, even the ones not reported. 

Wrap Up

A data breach is avoidable, but in case it happens, a company should know how to comply with the rules to help manage the consequences. According to the UK GDPR, not all data breach cases should be reported, but any organisation should have an efficient system to deal with them as soon as they occur. 

Guides & articles What is considered a breach of GDPR?

Peter Hammond I am a solicitor who has specialised in data breach compensation claims.
what is considered a breach of GDPR?

Firstly, what is the GDPR?

The General Data Protection Regulation (GDPR) came into effect in 2018 and unifies the rules for processing personal data by private and public companies. The regulation aims to ensure the protection of personal data across all industries. The principles for the processing of personal data under the GDPR are:

  •       To do so lawfully
  •       Fairly
  •       Be completely transparent on how data will be stored, processed, and used
  •       Have a clear purpose for using the data
  •       Keep personal data storage to a minimum as much as possible
  •       Be accurate with what data you need and don’t collect unnecessary information
  •       Don’t store data for longer than you need it and delete information safely
  •       Have integrity and do everything you can to protect personal data
  •       Be accountable for your actions

 

So, what counts as a breach of GDPR?

There has been a lot of confusion surrounding what can be classed as a breach of GDPR and what can’t be. In the GDPR a personal data breach is defined as ‘a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.’ To explore this further personal data breaches can be organised into three categories:

  •       Confidentiality breach  – where there is an unauthorised or accidental disclosure of or access to personal data. This kind of breach is most common with patients’ records at medical centres and hospitals.
  •       Availability breach – where there is an accidental loss of or access to or destruction of personal data. An example of this would be the sort of problem that would arise after a cyber attack that prevented access to and/or destroyed records.
  •       Integrity breach – where there is unauthorised or accidental alteration of personal data.

A data breach could possibly involve all three categories depending on the nature of the circumstances.  

 

How has the definition of “personal data” changed?

When a company is dealing with business transactions in the past it could have been assumed that personal data strictly refers to account or ID numbers, as well as addresses and dates of birth. Whilst this type of data should still be kept secure the GDPR has expanded the definition of personal data.

Now, personal data is related to “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier”. This means that social, mental, economic, cultural, and even genetic information will now be considered personal data that is to be protected by GDPR requirements.

 

What is the penalty for a GDPR violation?

The national supervisory authorities are required by the GDPR to impose certain warnings or fines on data protection offences. Any person who believes that the processing of their data personal data is being done unlawfully has the right to lodge a complaint with the ICO (Information Commissioner’s Office).They can then conduct an investigation into the security measures at that organisation and the degree to which they were at fault and impose a fine based on their findings.

 

How long does a company have to report a breach of GDPR?

Whether the cause is a cyber-attack, software errors, hardware failure or human error all companies are obliged under the GDPR to report any violation of the protection of personal data to a data protection supervisory authority. Article 33 of the GDPR states that notification of a breach of personal data protection by the responsible party must be made to the competent supervisory authority (ICO) straight away, and if possible within 72 hours of becoming known. If there is a delay in the obligation to register, a reasonable justification for the delay must be provided.

Also, it is important that there is a duty of documentation, so the person responsible must ensure all factors that led to the GDPR breach are clearly presented and documented. The better the company is prepared for a potential GDPR infringement the better the chances of only receiving a small fine or even just a warning.

 

Now you know what counts as a breach, how can GDPR violations be prevented?

A GDPR violation can happen to any company. The best way to minimise the risk of a breach in an organisation and the resulting consequences is to take preventative measures. As well as having a strong crisis communication strategy, it is advisable to appoint a data protection officer (in some cases this is mandatory). To be sure of the strength of data security in a business, and actively counteract a GDPR violation all applications and software products used by the company should be checked to ensure they comply with GDPR regulations.

 

What else do you need to know about GDPR and data breaches?

1) Companies need to provide a clear explanation for collecting personal data

Many companies collect a user’s data without their knowledge. Even if the user doesn’t mind there needs to be a clear explanation of how that data will be used. In accordance with GDPR principles, a person must give explicit consent for how their data is being used.

2) Victims must be alerted to any risk

If a breach does occur, the company must contact the affected individuals straight away. According to GDPR principles, it is not appropriate or sufficient to release news of a breach through a press release, on a website, or through the use of social media.

3) GDPR compliance can differ from one company to the next

Compliance has a lot to do with a company’s size, the personal data that is collected via internal communications methods like a team app, as well as the goods and services that are offered.

 

If you think you have experienced a GDPR data breach contact us today and we can put you in contact with data breach solicitors. They can investigate your data breach claim and see if you have a case that is worth pursuing. If you do have a strong case you could be entitled to compensation not just for the risk of having financial information exposed but for any emotional distress or anxiety you had about having your personal data compromised. 

Guides & articles Is revealing my email address a breach of GDPR?

Peter Hammond I am a solicitor who has specialised in data breach compensation claims.
Is revealing my email address a breach of GDPR?

Although your e-mail address is personal, private, and confidential, revealing it is not necessarily a breach of GDPR. In order for a revealed email address to be considered a breach of GDPR the e-mail address has to fall into a specific category, namely one of the following:

  • A personal e-mail address such as Gmail, Yahoo, or Hotmail
  • A company email address that includes your full name such as firstname.lastname@company.com

If the revealed e-mail address does not fall into one of these categories, then there is no case of GDPR or data breach. That means that admin@, info@, and similar business addresses do not fall into a protected category by GDPR. These are public knowledge and accessible by anyone.

However, when a personal email address or e-mail address containing PII (Personal Identifiable Information) is widely distributed or leaked it opens up the recipient to spam and viruses, as well as unwanted attention and easier ways to track the owner. When the e-mail address contains PII, be it a personal or business email address, this can also become dangerous if the information falls into the wrong hands.

How do email addresses get shared?

When you give your email address to a company you are entrusting them with personal information. This might be to sign up to something, enter a competition, join a mailing list, or even receive quotes or other information. Prior to the implementation of GDPR and the Data Protection Act of 2018, this information could be more easily shared with other companies who would pay for good email addresses for marketing purposes. Thankfully, new laws mean that companies cannot share your information without your express consent.

So how does an e-mail address get revealed at all?

There are different ways that your email address may have been leaked, and not all of them are malicious or intended – however, they are still an abuse of your rights and a breach of GDPR. Some of the offences include:

  • Using the CC (carbon copy) field in emails instead of the BCC (blind carbon copy) field, meaning all addresses are visible to all recipients
  • Accidentally sending information to the wrong email address. This is especially prevalent where an autofill has been used to address an email.
  • Forwarding an email chain without checking all personal and private information has been removed from the visible content
  • E-mail addresses and other data not being stored correctly or safely so it is more easily hacked
  • Disgruntled employees or criminal activity within companies where e-mail addresses are stolen or copied and shared outside the company

What can I do if my email has been revealed?

How you respond to your leaked or revealed e-mail address is usually up to you and is based on the severity of the breach. For instance, if your email address was leaked in a group of email addresses for people with certain medical conditions then the severity of the leak or breach is much worse than if your email address was revealed in a general information mailing list where you were CC’d instead of being BCC’d.

If you feel that the revelation or breach is serious then you should start by reporting it to the company directly. You may find that they are willing to make reparations immediately or were not even aware of the problem. The company or person who revealed your email address is then responsible for reporting the breach to the supervisory authority within 72 hours of finding out about it. 

The supervisory authority will then investigate and will usually decide on the suitable disciplinary actions to be taken out, if necessary.

You can also ask to see the correspondence between the company and the supervisory authority as it pertains to you and your information.

This is all laid out in Article 33 of GDPR terms.

If you still feel that you have suffered injury or damage because your email address was revealed then you may be able to take the matter further. If someone else having access to your email address has resulted in measurable psychological or financial damage, then you may be able to claim compensation if you can prove that the injury or damage were directly linked to the data breach. 

How we can help with an e-mail GDPR violation

If your information has been leaked and you have suffered as a result, possibly through harassment, hacking, or other abuse of your e-mail address, then you are probably feeling vulnerable and uncertain. At Data Breach Claims we put you back in control and put you in contact with one of the best data breach solicitors in the UK. 

They will offer a free initial consultation to help you decide if your case is worth pursuing, and work on a No-win, No-fee basis. Our goal is to give you the best possible result.

Check free if you're owed an average £4,000 refund

Start My FREE Data Breach Claim 100% Safe & secure, no win no fee check