Connect with us


Making A Data Breach Claim

Last updated by


data breaches and GDPR

Data breaches are becoming increasingly common. According to the Ponemon Institute, the average cost of a data breach now stands at $3.86 million per incident. This figure represents a significant increase over the past few years when the average cost was just under $1.5 million.

Do you remember the high-profile data breach in May 2018, when hackers stole data belonging to nearly 50 million customers of Equifax Inc., a credit reporting agency based in Atlanta, Georgia? You probably don’t, as there have been so many more data breaches of significance.

The truth is that data breaches are more prevalent than we care to admit. Cyber-attacks always happen, causing extensive damage to businesses and individuals whose data get lost or exploited by malicious entities.

The good news is that if you were to fall victim to a cyber-attack and have your personal data compromised, you are not entirely helpless you can make a claim. Suppose the event happened due to a data controller’s negligence (this refers to any company or organisation that holds your personal information). In that case, you are entitled to pursue a data breach claim and could receive compensation for the loss you’ve experienced. So, if you think your data has been breached or want to learn more about the topic, this guide will help you understand the basics of data breach claims.

What Counts As A Data Breach?

According to recent figures provided by the UK Government, approximately 39% of businesses and 26% of charitable organizations taking part in the survey experienced cyber security breaches or attacks over the 2020-2021 period. The number of cyber-attacks is obviously on the rise, but many people still don’t understand what data breaches are and how they happen in the first place.

Data breaches occur when an individual’s private data is destroyed, altered, lost, accessed, stolen, misused, or disclosed by an unauthorized person due to a security breach. Personal data can be any information about a person that can help identify that individual. This includes name, address, contact details, biometric and health data, financial information, etc.

A data breach can be caused by human errors, accidents, or intentional actions and can take many forms. For instance, a company can send your private details to a third party without your permission by mistake, or a hacker may break into their system and steal your credentials. The most common types of data breaches include:

  • Phishing attacks
  • Distributed Denial Of Service (DDoS)
  • Ransomware
  • Malware
  • Password attacks
  • Eavesdropping attacks

Let’s also not forget video surveillance and biometric data hacks too.

Understanding UK GDPR Compliance

The Data Protection Act 2018, which serves as UK’s General Data Protection Regulation (GDPR) after leaving the European Union, sets out the data security and privacy laws on UK’s territory.

According to the Information Commissioner’s Office (ICO), there are seven principles on which UK GDPR is based:

  • Lawfulness
  • Fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity
  • Confidentiality
  • Accountability

When an organisation that collects and stores sensitive information from individuals suffers a data breach that can potentially affect the rights, freedom, and well-being of said individuals, the organisation has a legal requirement to inform ICO within 72 hours of the event.

Suppose this data breach has occurred due to the organisation’s non-compliance with the GDPR and the principles listed above and you have been affected by it. In that case, you are in your right to claim a data breach against the organisation and receive compensation from them.

Data Breach Claim Timeframes

There are specific timeframes for data breach claims. It pays to know your rights, and when to put forward your data breach claim, so the process occurs. Put off your claim for too long, and you risk losing your right to do so.

Do your research and plan your action. Remember, you’re within your right to make a claim if you’ve been unduly impacted by the loss of your personal data by an organization.

Act within 12 months

The period for making a data breach claim varies from case to case, depending on several factors. If you want to claim against a public body, such as a hospital, the police, government departments, or the local council, you can do so within one year.

Act within six years

With commercial entities, you’ve got six years to take action against and claim compensation. While it may seem long, you’re better off commencing proceedings as soon as possible, so you’ve got time on your side to get your case through the system.

Reaching An Agreement Vs. Going To Court

One of the most common concerns is whether they will have to go to court to receive data breach compensation.

In most cases, you can contact the organisation responsible for the data breach, and they can agree to settle out of court. This action requires you to agree to a payout without getting the court involved in the process.

However, if this scenario does not play out as you expected and the organisation refuses to pay you fair compensation, you’ll have to change your approach and make a claim in court. Then, based on your evidence and the case details, the court will decide if your claim is valid and if you are entitled to compensation. The court will also settle the compensation amount according to the extent of the damages you’ve suffered.

Given that the legal landscape and the claim procedure can be rather complicated for those unfamiliar with the field, the best course of action is to reach out to a data breach solicitor who can provide guidance before taking the case to court. And if you have to settle things in court, an experienced professional can handle your case for you and increase your chances of receiving fair compensation.

This business blog post is not legal advice. Always engage the expertise and seek their legal advice about your specific case before making any decisions regarding data breach claims.