By Stuart Snape, Managing Partner, Graham Coffey & Co. Solicitors

Any business or individual is susceptible to a data breach. Data from the latest IT Governance study indicates that the number of reported security breaches rose by 11% from 1,120 in 2020 to 1,243 in 2021, leading to 5.13 billion compromised records containing sensitive information.

The reality of your personal data being stolen can indeed be daunting, but it is crucial to know that there are measures available to mitigate the damage of the breach and restrict the propagation of leaked sensitive data.

Here, we outline how you can devise an effective plan to respond to a breach and also detail the steps you can take if you suspect a personal data breach. Whether a misplaced email, a stolen laptop, or a compromised online account, asserting your legal rights to protect your data protection is imperative.

Who protects your personal data?

In the UK, the responsibility of safeguarding personal data privacy and advocating data rights in public interest lies with the Information Commissioner’s Office (ICO). The ICO is tasked with implementing the Data Protection Act 2018, which outlines how organisations, businesses, and the government should handle personal data. This law is modelled on the General Data Protection Regulation (GDPR) of the European Union, hence they are quite similar.

The ICO mandates that all organisations handling your personal data adhere to “data protection principles” ensuring that the stored and processed data is:

• Utilised in a lawful, fair, and transparent manner

• Used exclusively for the stated purposes

• Accurate

• Retained only as long as necessary

• Secured with adequate measures to prevent unauthorised or illegal processing, loss, destruction, or damage

The ICO places significant emphasis on safeguarding personal data privacy, especially in relation to data that discloses an individual’s identity such as:

• Race

• Ethnicity

• Political beliefs

• Religion

• Biometrics

• Union membership

• Sexual orientation

• Health

A data breach leaking such sensitive information could lead to severe consequences, including financial loss and emotional distress, likely entitling you to seek compensation for the data breach.

What is the timeline for a business to report a breach?

A data breach must be reported to the ICO within 72 hours as per law. The ICO then initiates a comprehensive investigation to identify the root cause of the leak and verify if all parties have fulfilled their legal obligations. If the business storing your data is found to have failed in adequately securing it, resulting in tangible damage or loss, you may be eligible to pursue legal action.

Reporting the breach

The data controller is required to report the breach on the ICO website within 72 hours of discovering it, not when it occurred. Failure to notify the ICO might reduce the chance of retrieving any of the lost personal data.

However, consulting legal professionals can ensure a thorough investigation of the breach, protection of your rights as a data subject, and a comprehensive understanding of your rights if a data breach is identified. This gives you a better chance of receiving compensation if the business handling your data is found responsible for the breach.

Logging the breach

Recording a detailed account of the incident will assist any victim in providing credible evidence when seeking compensation. These logs can substantially bolster the argument that their data was mishandled and improperly retained.

Upon receiving the report, the ICO will commence an investigation. The controller should maintain a record detailing the circumstances of the breach, including a timeline of events, individuals involved, the sequence of events, and the corrective measures undertaken in response to the breach.

Containing the breach

A clear understanding of the incident allows the ICO to respond quickly and effectively. This is crucial, as knowing what happened to your leaked data can help to contain its spread.

The organisation responsible should strive to retrieve the data at their end as soon as possible. The data controller needs to implement sufficient measures to safeguard those potentially vulnerable to future breaches.

Based on the nature of the breach, the organisation holding your data may take practical steps to mitigate any harm. For instance:

• If critical information was mistakenly shared, the organisation can request its removal or secure return.

• The controller could backtrack to locate the breach source and rectify any security or operational issues that could have led to the violation.

• If a digital asset has been stolen and its data can be remotely wiped, the organisation should do so promptly to reduce the risk of sensitive information falling into the wrong hands.

• Understanding your legal rights

• If you suspect your data has been misused or is not securely stored, you should alert the respective organisation so that they can take appropriate corrective action. If you are dissatisfied with their response or believe more needs to be done to address the breach, you should notify the ICO.

If an organisation violates data privacy regulations causing you harm, you have the right to file a data breach compensation claim under the Data Protection Act 2018.

Can I claim for a data breach?

In the event of a sensitive data breach, the organisation responsible for data control can be held liable and compelled to pay compensation. This typically involves situations where private data that was not publicly accessible before, such as sensitive financial or medical information, has been compromised. In such cases, it is advised that you consult a legal expert specialising in data breaches to assess whether you have a strong case for a data breach claim.

As mentioned previously, the ICO can investigate a data breach and try to determine legal responsibility. A favourable ICO verdict stating that the other party misused an individual’s data would significantly strengthen their compensation claim, although this might be a lengthy process.

If you have suffered tangible losses due to a data breach, you can file a claim against an organisation for a data breach – you do not have to go through the ICO or wait for the conclusion of its investigation. You can proceed directly with the party responsible, as they will be accountable for paying compensation, not the ICO.

However, organisations may try to downplay their data security obligations or withhold information about the extent of a breach. Therefore, seeking legal advice from specialists in data breach claims can ensure that your legal rights are upheld and your claim is thoroughly investigated.