Personal

Data Breach Claims

SOLVING PERSONAL LEGAL MATTERS

together

On the 25th May 2018, new legislation came into force that gave individuals more control over personal data and what data can be held by organisations. The General Data Protection Regulation (GDPR), and the Data Protection Act 2018 contain provisions and requirements on processing of personal data of individuals. It was amended on the 1st January 2021 as a consequence of Brexit.

Those that control this data, must have appropriate technical and organisational measures to protect the data they collect, and obtain consent for its collection and disclosure where required. This is why you get pop-ups on every website you go to informing you that they use cookies to gather data.

While the majority of companies have taken robust action to protect this data, not all organisations do. If your data is misused, or disclosed, or lost and you have suffered financial loss or distress then it may be possible for you to claim compensation. If you think you have been adversely affected by a data breach, then contact our expert lawyers today.

Data breach compensation

Under GDPR law, if an organisation that holds your data causes it to be lost, destroyed, or disclosed in an unauthorized way whether that's by error or accident by someone inside or outside the organisation you can claim compensation for any loss caused by the breach and the distress it has caused.

Data breaches may involve:

  • Personal health information (PHI)
  • Medical documents
  • Social services documents
  • Financial information
  • Sensitive, protected or confidential information

Can you get compensation for breach of data protection?

You have a right to claim data protection breach compensation due to GDPR if you have suffered as a result of an organisation breaking the data protection law. The organisation may agree to pay the compensation to you without involving the ICO so you do not have to claim.

If you believe your personal data has been lost or misused and you have suffered loss or distress, you may be able to claim for compensation. However, data breach cases are not straightforward. It is recommended to contact the Information Commissioner's Office (ICO), the UK's data protection regulator and supervisory authority for GDPR compliance. The ICO can investigate the incident and determine if an organisation is at fault for the breach. This can be a slow process, but a finding in your favour will add weight to a compensation claim. The ICO does not award compensation, to be awarded compensation you will need to make a claim against the organisation who breached your data.

You don't have to contact the ICO or wait for its investigation to conclude, you can bring a case against an organisation directly without having to involve the ICO. However, it will make you case much stronger if they find there is a breach.

Who can you claim against for a breach of data protection?

You can bring a claim for a data breach against an organisation either in the public sector, private sector or charitable sector. In some cases, there may be more than one defendant. Typically, GDPR claims and data breach claims are settled out of court.

What is the data breach compensation amount in the UK?

How much you will get in compensation will depend on the type of data breach and how this has affected you both financially and mentally. The law in this area is currently developing; the courts haven't yet given many specific guidelines on what will be awarded.

The sums awarded under these guidelines include injury to feelings and any consequential financial loss. There is limited case law on the valuation of these claims. The wards can range from:

  • £900 - £1,500 ( in less serious cases where the discrimination is a one off incident or isolated in nature. For example, it did not happen in a public place, apologies were made.
  • Up to £10,000 or more if there is a lengthy campaign of discrimination and harassment - particularly rude or insensitive language, widespread publication, whether it relates to personal/intimate part of life, depression or illness is caused as a result of the act of discrimination, which can be supported by medical evidence.
  • In very serious cases, aggravated Damages can be awarded if there was a motive for the wrongful disclosure or the conduct of the other party during the litigation is considered to be unmeritorious or aggressive.

Forbes Solicitors have a team of experts in this area who can offer a free initial consultation to determine if we can help and whether your case is worth pursuing. If you do have a case our highly experienced solicitors will be able to offer support and guidance in making an initial complaint to the ICO and thereafter in pursuing your claim to settlement, through the Courts if necessary. No win, no fee funding arrangements are available.

Can I claim GDPR compensation for unsolicited emails?

In theory you can make a compensation claim under GDPR against a company sending you marketing emails that you haven't signed up for or have unsubscribed from, but it is unlikely to be economical to instruct a solicitor to make the claim. Legal costs are not generally recoverable in small claims cases. You can ask them to stop doing this and make a formal complaint if they don't do so.

As well as other types of data, GDPR also covers marketing emails that businesses and other organisations send to you. They may have your email address and other data for a number of different reasons, for example if you bought something from them, made a charity donation, asked to be kept informed about something from them or entered a competition. Depending on the permissions you gave them when you did this, they might be able to use your data for marketing reasons or even sell it to third parties. Any marketing email you receive should include details of what to do if you wish to unsubscribe from these types of emails.

Under GDPR, and Article 21 of this legislation specifically, you can request that they stop contacting you for marketing purposes. If they continue despite this, you can complain about them to the Information Commissioner's Office (ICO).

You can in theory make a compensation claim for unwanted marketing emails but there is likely to be very limited or no financial damage suffered, as opposed to a data breach where someone might have used your personal data to commit fraud or other crimes.

Can I make a GDPR claim for subject access requests (SARs)?

You have the right to ask any company or organisation what data about you they are holding and/or using. This is called a subject access request or SAR and organisations usually have to respond with the requested information within one month, although this could be extended up to three months for complex requests.

Their response to the SAR should contain the information you specifically requested and may also tell you:

  • What the information they hold on you is being used for
  • Where they got your information in the first place
  • Who, if anyone, they are sharing the information with
  • How long they will keep your information and why that length of time was decided upon
  • How you can change inaccurate information, ask them to delete it or choose not to have it used for certain purposes
  • Your rights if you want to complain to the ICO
  • Details of security measures taken if your information has been transferred internationally.

If the organisation fails to provide the information requested within this timeframe without a valid reason, you can complain about them to the ICO.

In theory you can make a compensation claim, however the value of the claim means that it is unlikely to be economical to instruct a solicitor to make the claim. Legal costs are not generally recoverable in small claims cases.

Case Studies

Gulati v MGN Ltd - £72,500 - £260,250 - Phone hacking and prolonged attempts to acquire personal data for a newspaper publication. The intentional misuse of data along with repeated misuse will increase any award.

TLT v Home Department - (Two Iranian Parents) - The Home office failed to anonymise published data relating to families with no right to remain in the UK. It published names and countries of origin and areas they lived in, they were awarded £12,500 each. They were fully aware of the extent of the breach and how it affected them. Their fears and concerns were genuine. They were forced to move home and change their child's school as a result of the breach. The claimants child was awarded £2,500 to reflect the need to move home and school.

Another claimant for the same breach was awarded £6,000. She had a legitimate and reasonable fear that the data breach could be accessed by her former government and that this could lead to her being tracked down. Another claimant was awarded £3,000 based on the initial shock of the data breach

Weller v Associated Newspapers - Photographs of a musician were published that included pictures of his three children. The case was brought on the children's behalf. Two of the children were babies and were unware of the breach. They were awarded £2,500. She was awarded more as her feelings of embarrassment and of being threatened by the photographer were held as legitimate.

Commissioner of Police of the Metropolis v Andrea Brown - Police officer successful proved that police facilities were wrongly used to obtain her passport and travel details. These should be used only to prevent crime, but in her case were used for an internal grievance procedure. She was awarded £9,000. She suffered distress as a result of the breach. The award was increased because there was evidence of abusing statutory power, causing her to lose control of her data.

Other examples of data breaches that we have seen are:

  • Medical records and financial information being sent to the wrong address either by post or email.
  • Organisations releasing an address of an individual who has separated from a violent partner.
  • Debt recovery agencies pursuing incorrect debts.

Contact Us

Get in touch to see how our experts could help you.

Call0800 689 3206

CallRequest a call back

EmailSend us an email

Contacting Us

Monday to Friday:
09:00 to 17:00

Saturday and Sunday:
Closed

FAQs

What is a GDPR Claim?
 
 

Known as the General Data Protection Regulation (GDPR), this regulation outlines provisions and requirements on pertaining and processing of personal data of individuals within the European Economic Area.

If your data is misused, disclosed, or lost and you have suffered financial loss or distress then it may be possible for you to claim compensation. If you think you have been adversely affected by a data breach, then contact our expert solicitors today.

Can I get compensation for a data breach?
 
 

It is possible to make a data breach claim for compensation but you must be able to provide evidence that you have suffered damages and stress as a result of the data breach. The current period for making a data breach claim is 6 years, 1 year if it involves a breach of Human Rights.

The aim of compensation is to try and place a claimant back in the same position as if no discrimination had taken place. If you think you have been adversely affected by a data breach, then contact our expert solicitors today.

Can you sue for a GDPR Breach?
 
 

The short answer is, yes. GDPR was introduced in May 2018 to ensure personal data is not misused, disclosed, destroyed or lost.

Every circumstance will be different but if you think you have been affected by a data breach, then contact our expert solicitors today who will be happy to assist.

Can I get compensation for a GDPR breach?
 
 

Yes. The aim of compensation is to try and place a claimant back in the same position as if no discrimination had taken place. If your data is misused, disclosed, destroyed or lost and you have suffered financial loss or distress then it may be possible for you to claim compensation. GDPR was introduced in May 2018 to protect consumers and employees. There are rules that companies must abide by in order to remain compliant. If a business does not follow this then they may be liable to pay compensation.

If you think you have been adversely affected by a data breach, then contact our expert solicitors today.

Need more help?

Get in touch to see how our experts could help you.

Call0800 689 3206

CallRequest a call back

EmailSend us an email

Our Reviews

Our dedicated Data Breach Claims team

Partner, Clinical Negligence and Personal Injury Solicitor

John Bennett

Partner

Personal Injury

PinAccrington

Call01254 872111

Associate Clinical Negligence and Personal Injury Solicitor

Leonie Millard

Partner

Clinical Negligence

PinLeeds

Call01254 770517

Lisa Atkinson

Lisa Atkinson

Associate

Personal Injury

PinAccrington

Call01254 222448

Next

Useful Information

Article

Supreme Court finally set to rule on when non-material damage is serious enough to justify a claim

25 Mar 2021

It is clear to see that GDPR claims are certainly on the rise, with a flurry of activity featuring…

Read more

Article

Data breach claims and the rogue employee

02 Feb 2021

The recent case of Morrison's v others concerned Mr Skelton, a former employee who had been…

Read more

News

Hack Attack

20 Aug 2021

The High Court have recently handed down a judgment in the case of Warren v DSG retail who operate as Dixons…

Read more

Contact Us

If you have a general enquiry then please fill in your details and someone will contact you.

Call0800 689 3206

CallRequest a call back

EmailSend us an email

Contacting Us

Monday to Friday: 09:00 to 17:00
Saturday and Sunday: Closed