Any organisation can have a data breach, and any individual can be a victim of one. According to the most recent IT Governance statistics, there were 1,243 security incidents reported in 2021, representing an 11% increase from the 1,120 recorded in 2020. As a consequence, 5.13 billion sensitive information-containing records were compromised.
It might be frightening to learn that your personal data has been stolen, but there are actions you can take to lessen the repercussions of the breach and limit the distribution of any leaked sensitive data.
The following guidance will assist you in efficiently planning to respond to a breach, as well as outline the steps you may take if you think there has already been a breach of personal data. Whether an email was sent to the incorrect person, your laptop was stolen, or an online account was compromised, it is vital that you exercise your legal rights to secure your data as much as possible.
Who protects your personal data?
The Information Commissioner’s Office (ICO) is the UK government body responsible for safeguarding individual data privacy rights and upholding data rights in the public interest.
The ICO is in charge of enforcing the Data Protection Act 2018, which specifies how organisations, businesses, and the government must manage personal data. The latter is based on the General Data Protection Regulation (GDPR), the European Union’s version of the Data Protection Act, hence the two regulations are quite similar.
According to the ICO, all organisations that process your personal data must follow the “data protection principles” and guarantee that the information they store and handle is:
- Used in a lawful, fair, and transparent manner
- Only used for the intended objectives
- Not kept any longer than required
- Adequately protected by the use of security measures to prevent unauthorised or illegal processing, loss, destruction, or damage
The ICO, in particular, is concerned about the protection of personal data privacy. They take special precautions to safeguard data that reveal an individual’s identity:
- Political convictions
- Union membership
- Sexual orientation
As such, a data breach that leaks this type of information about you can have dangerous consequences, such as financial loss and severe emotional damage. In the event of such repercussions, you would have the eligibility to make a compensation claim for the data breach.
What is the timeframe for a business to report a breach?
By law, a data breach must be reported to the ICO within 72 hours. This prompts the ICO to begin a thorough investigation to find the root of the leak and ensure all parties followed the appropriate steps and fulfilled their legal obligations. If they find that the business storing your data did not adequately protect your data, and this resulted in tangible damage or loss, you would likely be eligible to pursue legal action.
Reporting the breach
The data controller must notify the ICO of the breach on the ICO website. The 72-hour timeframe starts when they learn of the breach, not when it happens. Failing to notify the ICO limits the possibility of regaining any of the lost personal data.
However, by seeking legal counsel, there is the guarantee that the breach is thoroughly investigated, that your rights as the data subject are protected – and if there is found to be a breach of your data, legal counsel will ensure you understand your rights, and that if your data has been leaked, you have a better chance of receiving compensation if the business that stores your data was determined to be at blame for the breach.
Logging the breach
Making a comprehensive account of what transpired will help any victim of a breach to provide reliable evidence if they decide to seek compensation. These logs can provide substantial support for the argument that their data was inappropriately utilised and retained.
The ICO can begin an inquiry once it gets the report. The controller is required to keep a diary that details the facts of the breach, including a timeline of what happened and why, who was involved, how events unfolded, and what measures they took in reaction to the breach.
Containing the breach
The ICO can respond quickly and efficiently if it gets a clear understanding of the circumstances surrounding the incident. This is vital, as understanding what happened to your leaked data might assist to limit its spread.
If at all feasible, the organisation responsible can try to recover the data from their end as soon as possible. The data controller must implement adequate precautions to protect everyone who may be vulnerable to future breaches.
Depending on the nature of the breach, the organisation responsible for your data may be able to take practical actions to eliminate any harm. For example:
- If the data controller inadvertently transferred vital information to someone, the organisation can request that they remove it or return it securely.
- The controller might retrace their actions to discover where the breach happened, and identify and rectify any security flaws or operational concerns that may have led to the intrusion.
- If a digital asset has been taken and its data can be remotely wiped, the organisation should do this as soon as possible to reduce the danger of sensitive information falling into the wrong hands.
Understanding your legal rights
If you suspect that your data has been improperly used or is not being kept secure, you should notify the organisation that has it directly so that appropriate responsive action may be taken. If you are unhappy with their response or feel that additional action is needed to address the breach, you should notify the ICO.
If a company violated data privacy standards and you suffered as a result, you have the right to file a data breach compensation claim under the Data Protection Act 2018.
Can I claim for a data breach?
In the case of a sensitive data breach, the organisation in charge of data control may be held accountable and ordered to pay compensation. Often, this would entail circumstances where the private data was not previously available in the public domain, such as sensitive financial or medical information. In such circumstances, you should discuss your position with a data breach legal specialist to see whether you have a solid case to make a data breach claim.
As previously stated, the ICO can investigate a data breach and attempt to determine who is legally accountable. A favourable ICO judgement stating that the other party exploited an individual’s data would significantly boost their compensation claim, albeit this may be a time-consuming procedure.
If you have been subject to a data breach and suffered tangible losses as a result, you can submit a claim against an organisation for a data breach – you do not need to go via the ICO or wait for the end of its investigation. You can do so immediately with the party at fault because they will be accountable for paying compensation, not the ICO.
However, organisations may attempt to minimise their obligations and responsibilities for data security, or they may withhold information about the scope of a breach. As a result, getting legal counsel from experts in data breach claims can ensure that your legal rights are safeguarded and that your claim is fully examined.