How To Report A Data Breach

A data breach needs to be reported by organisations if it risks your rights and freedoms. However, you may need to report a data breach yourself if you find that an organisation isn’t reporting it. In this article, we look at how to report a data breach, what a data breach claim involves and how much data breach compensation you could seek.

report a data breach

A guide on how to report a data breach

For more information about data breach claims, consult our advisors. Available 24/7, they will give you an obligation-free consultation.  

  • Please telephone us at 0800 408 7827
  • Contact us with details of your case 
  • Speak to us using the live chat feature

Choose A Section

  1. How Do I Report A Data Breach?
  2. Maximum Compensation For A Data Breach 
  3. What Is A Data Breach Report?
  4. How Much Time Do I Get To Report A Data Breach?
  5. Can I Have A No Win No Fee Lawyer?
  6. Further Guidance On How To Report A Data Breach

How Do I Report A Data Breach?

A personal data breach is a breach of security that leads to the accidental or unlawful loss, destruction, alteration, or unauthorised disclosure of or access to, personal data. Broadly, this is a security breach affecting the confidentiality of data. 

If a data breach occurs, and it causes your freedoms and rights to be risked, the party that was in control of the personal data should report it to the Information Commissioner’s Office (ICO). The ICO is an independent body that enforces data protection laws such as the UK General Data Protection Regulation and the Data Protection Act 2018.

If you suspect a data breach has occurred, you can contact the ICO if the organisation hasn’t already done so. However, you should try to contact the organisation about it first. The matter could be resolved directly. We discuss the time limit in which you have to report a breach in a section below.

There are two main parties that can process personal data.

Data Processor

A data processor is a person, public authority, agency or other body which processes personal data on behalf of the data controller. They act on behalf of the controller and under their authority. 

Data Controller

Unlike a processor, a data controller determines the purposes and means of the processing of personal data. Controllers make the decisions about processing activities undertaken by the processor. 

If either of these parties cause a data breach through wrongful conduct, you could claim. However, you’d need to show that your personal information was compromised in the breach and that you suffered financial loss or psychological harm as a result.

Data Breach Statistics

The UK’s Cyber Security Breach Survey 2021 found that four in ten (39%) businesses and 26% of charities suffered a cyber attack or cyber security breach in the previous twelve months. This is significantly higher among medium businesses (65%), large businesses (64%) and high-income charities (51%).

If you’d like to find out whether you could claim, simply get in touch.

Maximum Compensation For A Data Breach?

To claim, you must suffer material or non-material damages, or both. 

Material damages are the financial losses brought about by a data breach. This could come in the form of, for example:

  • Money stolen from bank accounts.
  • Damaged credit scores.

You could recover these losses as part of your data breach claim.

You could also seek non-material damages. The compromise of personal data can be a harrowing ordeal, especially if it is due to a malicious attack or proceeds from attempted blackmail or extortion. Claimable non-material damages include:

  • Anxiety
  • Depression
  • PTSD
  • Stress

You can see examples of non-material damages in the compensation table below. We’ve used the April 2022 editiong of the Judicial College Guidelines (JCG) to create this table. This document is used by legal professionals when valuing claims. It lists injuries alongside potential compensation.

InjurySeverityCompensation BracketNotes
Psychiatric harm generally (a)Severe£54,830 to £115,730The injured cannot cope with life as it were pre-trauma, with the degradation of close relationships and long term vulnerability.
Psychiatric harm generally (b)Moderately severe£19,070 to £54,830Significant problems but the prognosis will be more optimistic than above, with the injured having an opportunity to at least partially recover.
Psychiatric harm generally (c)Moderate£5,860 to £19,070Here, the prognosis will be good for future recovery.
Psychiatric harm generally (d)Less Severe£3,950 to £8,180The length of period of disability and the extent to which daily routines are disturbed will be taken into account.
Anxiety disorder (a)Severe£59,860 to £100,670Any effects are permanent. The injured person cannot function at anything near pre-trauma levels.
Anxiety disorder (b)Moderately severe£23,150 to £59,860Better prognosis than above. Professional help allows for some recovery but with serious disability for the foreseeable future.
Anxiety disorder (c)Moderate£8,180 to £23,150The afflicted will largely recover with residual effects not debilitating.
Anxiety disorder (d)Less severe£1,540 to £5,860Full recovery from all symptoms in two years, potential for minor symptoms to persist.

If you’d like our advisors to value your claim for free, why not reach out?

What Is A Data Breach Report?

A personal data breach report is a report to a relevant authority about a potential, or actual, data security breach. Employees of a data controller might report a breach to their employer. If the data controller finds that the data breach risks the rights and freedoms of data subjects (people whose personal information is processed), the data controller should advise the ICO.

If you discover that your personal information may have been involved in a data breach, you could report your suspicions to the data controller. For example, if there was a mortgage broker data breach, you could contact them.

What Information Could Be Affected?

Physical and digital personal information can be subject to data breaches. The causes of data breaches are varied and are not necessarily malicious. Understanding these differences can be useful when seeing how to report a data breach. 

Physical data

Physical data is physically stored data, such as a paper file or documents. Data breaches can consist of: 

  • Incorrect disposal of paperwork or hardware containing personal data. 
  • Data is posted or faxed to the wrong person even though the organisation has the correct address. 
  • A failure to redact personal information published in a physical document.
  • Loss or theft of paperwork containing personal information. 

Digital Data

Personal data that is held digitally could be processed via online systems. However, breaches can be made just as easily as physical data through: 

  • Personal data that was emailed to an unauthorised recipient.
  • A failure to use BCC in emails to multiple personal addresses.
  • A failure to redact personal information published onine.
  • Malware or ransomware being used to access personal data held online.

ICO Data Breach Figures 

The ICO’s data security incident trends show that, in the 4th quarter of 2021/22, 2,172 data breach incidents were reported. Of these, 381 involved personal data emailed to an incorrect recipient. The health sector reported the most data security incidents with 427.

How Much Time Do I Get To Report A Data Breach?

The Information Commissioner’s Office (ICO) is the authoritative presiding body regarding data protection. If a data controller finds that a personal data breach has occurred and it risks the freedoms and rights of data subjects, they should report it to the ICO within 72 hours of discovery. They should also inform data subjects of the breach without undue delay. 

If you discover that your personal information is compromised due to a data breach, you could contact the data controller or organisation yourself. If they don’t give you a satisfactory response, you could contact the ICO about the situation. However, you’d need to do this within 3 months of the organisation’s final, unsatisfactory response on the matter. If you wait longer to report the situation to the ICO, it could impact their decisions on the matter.

The ICO can investigate the breach, but they can’t compensate you for any suffering. You could seek compensation by claiming, however.

Time Limits To Starting A Claim

If you want to make a claim, you generally have six years to do so. The exemption to this is when you wish to claim against a public body, in which case you could have one year. 

Can I Have A No Win No Fee Lawyer?

To claim and report a data breach, you may look to legal representation to help you. If you have a strong claim, a solicitor may offer you a No Win No Fee agreement.

Our panel of solicitors offers No Win No Fee agreements for all claims they accept. Under such an agreement, you wouldn’t need to pay the solicitor a fee for their service upfront. It also wouldn’t be ongoing.

In fact, you’d only pay the solicitor’s fee if the claim wins. It’s also called a success fee, and is capped by law. You can discuss the fee with your solicitor before you agree to use their services.

If the claim loses, you won’t have to pay the success fee at all.

To report a data breach and see if you can make a claim, consult our advisors. Available 24/7, they will give you an obligation-free consultation.

You can:

Further Guidance On How To Report A Data Breach

If this guide was useful, you might want to read these: 

Writer Ryan Walsh

Publisher Ruth Vernon