Skip to main content

Guidance for Data Breach Victims

Guidance for Data Breach Victims

What should you do if your personal data is compromised?

GDPR and the Data Protection Act 2018 impose rigorous data protection standards on organisations processing your data in the UK and EU. If you believe your personal data has been involved in a breach of those standards, it is important to understand what steps you should take against the organisation responsible.

What is a data breach?

A data breach is the accidental or deliberate destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. A data breach could arise in a variety of circumstances, for example:

  • A debt which does not belong to you is accidently registered against your credit record, affecting your eligibility for certain mortgages.
  • You are making a payment over the phone to a call centre. They do not use an encrypted phone line and your call is accessed by an unauthorised third party.
  • You request a copy of your medical records from your GP. These are not sent by registered post and do not arrive. Neither you nor the clinic can trace where your records are.

There are exceptional circumstances where disclosure of your personal data may be possible without amounting to a breach. One important exception is personal data processed for journalistic purposes, where this is in the public interest, and specialist advice should be sought on this point.

What steps should I take as the victim of a data breach?

Step 1: Contact the party responsible for the data breach

If you suspect that your personal data has been involved in a breach, you should consider contacting the organisation responsible.

Organisations must report relevant data breaches to the ICO within 72 hours. However, if the breach does not present any risk to you, the organisation does not need to report it.

Step 2: Report the breach to the ICO

Victims of a data breach can also make a complaint to the Information Commissioners’ Office (ICO) here.

The ICO asks to be informed of a complaint within 3 months of your last “meaningful contact” with the breaching organisation. You should consider contacting the ICO as soon as you become aware of the breach.

The ICO can investigate organisations and take action against them, such as issuing fines. However, they are not responsible for issuing compensation to individuals. Nonetheless, a decision from the ICO could bolster a judicial claim for compensation, discussed below, so it is still worthwhile contacting them for input.

Additionally, it may be possible to make a report to the body responsible for regulating the organisation which breached your data, such an ombudsman. These industry regulators are sometimes able to investigate a breach and suggest a remedy. In certain cases they may be able to make the organisation pay compensation if a victim has suffered distress.

Once you have a decision from the ICO (and a regulatory body where available), you should consider providing evidence of this to the organisation responsible for the breach and requesting they redress the loss you have suffered.

Step 3: Contact a solicitor and raise a court action

If you are not satisfied with the breaching organisation’s response, you could consider raising a court action for compensation.

When making a claim for compensation, it is vital to demonstrate how the breach has affected you. You must show that any damage you have suffered is a direct result of the data breach. This could be material damage, such as financial loss, or non-material damage, such as the distress of having your data mishandled.

Depending on the value of your claim, a court action may or may not be financially worthwhile. Litigation is notoriously expensive and the cost of bringing an action may outweigh any compensation you would receive. You should seek advice from a solicitor as to whether a compensation claim would be appropriate in your circumstances.

Liam McMonagle is a specialist Intellectual Property, Technology and Media Solicitor, advising clients on Data Protection and GDPR. We are always delighted to talk without obligation about whether we might meet your needs. Call Liam on 0131 225 8705 or email

About the author

Liam McMonagle
Liam McMonagle

Liam McMonagle


Corporate & Commercial, Data Protection & GDPR, Intellectual Property, Trade Marks

For more information, contact Liam McMonagle on 03330 166583 .