It can be devastating when your personal data is breached. In recent years, data breaches have become increasingly common, with cybercriminals constantly finding new ways to exploit vulnerabilities in digital systems. It’s not just cybercriminals who are to blame though – businesses and organisations that collect and store personal data have a legal obligation to protect it. This guide aims to provide you with a comprehensive overview of what happens if you break the data protection act and the steps you can take if your personal data has been breached. We cover the types of personal data breaches, the legal requirements for reporting a data breach, the claims process for data protection breach compensation, and more.
If you have any questions about the information in this guide or would like to begin a claim, please get in touch with one of our advisors.
Understanding The Data Protection Act And GDPR
The Data Protection Act (DPA) is a UK law that sets out rules for how personal data must be processed and protected. It applies to anyone who handles personal data, from individuals to large organisations.
The General Data Protection Regulation (GDPR) is a regulation that was introduced by the European Union (EU) in 2018. It applies to any organisation that processes the personal data of EU citizens, regardless of where the organisation is based.
Under the DPA and GDPR, personal data must be processed lawfully, fairly, and transparently. This means that individuals must be informed about how their data will be used, and must give their consent for it to be used in this way. Data must be accurate, current, and only kept for as long as necessary. It must also be kept secure and protected against unauthorised access, loss, destruction, or damage.
What Is A GDPR Breach? Types Of Personal Data Breaches
A GDPR breach occurs when there is a breach of security that results in the destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This could be the result of a cyberattack, a phishing scam, or an employee error.
There are two main types of personal data breaches – confidentiality breaches and integrity breaches. A confidentiality breach occurs when personal data is accessed or disclosed by someone who is not authorised to do so. An integrity breach occurs when personal data is altered or destroyed without authorisation.
Examples of personal data breaches include:
- A cyberattack that results in personal data being stolen
- An email containing personal data being sent to the wrong email address
- A staff member accidentally deleting personal data
- Personal data being left on an unsecured device or in an unsecured location
Reporting A Data Breach – Legal Requirements And Consequences
Under the GDPR, organisations must report certain types of personal data breaches to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach. Individuals affected by the breach must also be informed without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
Failure to report a personal data breach can result in a fine of up to €10 million or 2% of the organisation’s global annual turnover (whichever is higher).
Penalties for Data Breaches – Understanding Fines And Criminal Charges
Organisations that fail to comply with the DPA and GDPR can face significant penalties, including fines and criminal charges.
Under the GDPR, organisations can be fined up to €20 million or 4% of their global annual turnover (whichever is higher) for serious breaches of the regulation. The ICO can also issue fines under the DPA, with a maximum fine of £17.5 million or 4% of global turnover (whichever is higher).
In addition to fines, individuals who are responsible for data breaches can also face criminal charges. For example, under the Computer Misuse Act 1990, cybercriminals who hack into computer systems and steal personal data can face up to 14 years in prison.
Data Protection Breach Compensation – Overview of the Claims Process
You may be entitled to compensation if your personal data has been breached due to wrongdoing by a data controller. The compensation you can receive will depend on the nature and severity of the breach and the impact it has had on you.
To make a claim for data protection breach compensation, you will need to provide evidence of the breach and the impact it has had on you. This could include financial losses, emotional distress, or damage to your reputation.
It is important to note that there is a time limit for making a claim for data protection breach compensation. Claims must be made within six years of the date of the breach, under the Limitation Act 1980 or within one year for claims against public bodies. It may be best to check which time limit applies to your claim by calling one of our advisors.
Conditional Fee Agreements (CFA) and No Win No Fee Claims
A Conditional Fee Agreement (CFA), also known as a No Win No Fee agreement, is a legal agreement between a client and a solicitor. The agreement states that if the claim is unsuccessful, the client will not have to pay for the lawyer’s work on their case. If the claim is successful, the solicitor will be paid a percentage of the compensation awarded. This success fee is capped as per the Conditional Fee Agreements Order 2013.
No Win No Fee data breach claims can be beneficial for individuals who want to make a claim for data protection breach compensation but are concerned about the cost getting a solicitor to help them with their claim.
How to Calculate Compensation for a Data Breach Claim
As well as understanding what happens if you break the data protection act, you might want to know what compensation a victim could claim. The amount of compensation you can receive for a data protection breach claim will depend on a number of factors, including:
- Firstly, the nature and severity of the breach
- The impact the breach has had on you (e.g. financial losses, emotional distress, damage to reputation)
- Any expenses you have incurred as a result of the breach (e.g. legal fees)
To calculate compensation for a data breach claim, your solicitor will consider these factors and work with you to determine an appropriate amount of compensation.
Claiming Compensation For Distress – How Much Could I Receive?
Data breaches can result in not just financial loss, but also non-material damages such as emotional distress, loss of privacy, and reputational harm. If you have suffered non-material damages due to a data breach, you may be entitled to compensation.
But how do you calculate the amount of compensation you should receive? Legal professionals can refer to the Judicial College Guidelines, which provide a framework for calculating non-material damages in data breach claims.
The Guidelines offer a range of compensation amounts for different types of non-material damage, based on the severity of the harm and its impact on the individual. For example:
- Severe psychological harm – £54,830 to £115,730
- Moderately severe psychological harm – £19,070 to £54,830
- Moderate psychological harm – £5,860 to £19,070
- Less severe psychological harm – £1,540 to £5,860
While the Guidelines are not binding, they can be a helpful starting point for legal professionals when determining an appropriate compensation amount for their clients.
Data Protection Breach Prevention: Best Practices for Individuals and Businesses
Preventing data breaches is essential for protecting personal data and avoiding legal consequences. Here are some best practices for individuals and businesses to prevent data breaches:
- Use strong passwords and two-factor authentication
- Regularly update software and install security patches
- Train staff on data protection best practices
- Encrypt personal data when it is being transferred or stored
- Conduct regular risk assessments to identify and address vulnerabilities
Start A Claim For Data Breach Compensation
If you have been the victim of a data protection breach, it’s important to know your rights and options for compensation. By understanding the types of personal data breaches, the legal requirements for reporting a breach, and the claims process for compensation, you can take steps to protect yourself and hold organisations accountable for their actions.
If you have any questions about data protection breach compensation or would like to begin a claim, please contact one of our advisors. We’re here to help.
What Happens If You Break The Data Protection Act – Further Guidance
Finally, now we’ve explained what happens if you break the Data Protection Act, you might want to do some further reading on data breach claims. If so, please see the links below.
What Are The Requirements For A Valid Data Breach Claim Under The Data Protection Act? – Learn more about the eligibility criteria for making a data breach claim in this guide.
How Do I Quantify The Losses In A Data Breach Case? – Next, read more about compensation for data breach claims.
Can An Individual Be Held Responsible For A Data Breach – Learn more on who could be liable for a data breach claim.
National Cyber Security Centre (NCSC) -The NCSC is part of the UK’s intelligence agency, GCHQ. It provides advice and support to help individuals and businesses protect themselves from cyber threats, including data breaches.
Gov.uk – The UK government’s website provides information on data protection regulations, including the General Data Protection Regulation (GDPR), as well as guidance for businesses on how to comply with these regulations.
UK Finance – Finally, UK Finance is the trade association for the UK banking and financial services sector. Its website provides guidance on data protection issues specific to the financial sector, as well as resources for businesses to help them comply with data protection regulations.