Anyone can be a victim of a data leak. There were 1,243 security incidents in 2021, an 11% increase from the 1,120 experienced in 2020, according to recent statistics from IT Governance. As a result, 5.13 billion records containing private information were compromised.
Finding out that the personal data you control has been compromised can be distressing, but there are steps you can take to limit the repercussions of the breach and contain the spread of sensitive data.
The following guide will help to prepare you to respond to a breach efficiently – or if you believe that there has already been a breach of personal data for which you are responsible and you are looking for the best course of action, you will learn what steps you should take. Whether an email was sent to the incorrect person, your laptop was stolen, or an online account was compromised, it is vital that you understand how to react to protect your data by using your legal rights to your advantage.
Who protects my data?
The Information Commissioner’s Office (ICO) is the agency tasked with upholding data rights in the public interest and safeguarding individual data privacy rights in the UK.
The Data Protection Act of 2018 — the legislation that controls how organisations, companies, and the government may use your personal information — is upheld by the ICO. It is based on the General Data Protection Regulation (GDPR), the EU’s version of the Data Protection Act, and as such, there are significant similarities between the two pieces of legislation.
According to the ICO, all individuals who process personal data must follow the strict criteria known as “data protection principles”. They must make sure the information they keep and process is:
- Used in a legal, fair, and open manner
- Used for the intended objectives
- Accurate
- Not kept longer than is required
- Adequately protected, by taking security measures to guard against unauthorised or illegal processing, loss, destruction, or damage
The ICO, in particular, takes seriously the protection of privacy of personal data relating to:
- Race
- Ethnicity
- Political beliefs
- Religion
- Union member status
- Biometrics
- Health
- Sexual orientation
What actions may I take after a breach?
The law states that a data breach must be reported to the ICO within 72 hours. Your business or your data data controller must report it within this timeframe in order for it to be logged and investigated in accordance with the legal requirements.
Report it
The data controller must report the violation on the ICO website. The 72-hour time limit begins from when they first learn about the breach, not from when it happened. Failing to notify the ICO gives little chance of ever getting back any of your personal data they have lost – but by seeking legal advice, you can ensure you report the breach correctly, help you to understand your rights and improve your chances of receiving compensation in certain circumstances.
Log it
If you decide to pursue compensation, keeping a careful account of the events will help you present strong evidence. Such logs could support your claim that your data was misused unfairly and support your claim for compensation.
Once the breach has been notified to the ICO, you can try to find the cause. The controller must keep a log that describes the specifics of the breach, including a timeline of what happened and why, who was involved, how events unfolded, and what actions you took in response to the breach.
The ICO can respond more quickly and effectively if it has a thorough understanding of the circumstances surrounding the breach.
Minimise it
Finding out what happened to exposed data is a top priority, and can help to minimise any harm caused. If you are able to, recover the data as soon as you can from your end. Your data controller must take the necessary precautions to safeguard anyone who might be vulnerable to future breaches.
Depending on the nature of the breach, you may be able to take practical steps to remove any risk. For example:
- If your data controller accidentally sent sensitive information to someone, you can just ask them to follow up to get it deleted or sent back safely
- The controller should retrace their steps to find out where the breach started, identify any security flaws or procedural problems that may be at fault, and strengthen them
- If a digital asset was stolen as a result of a hack and you can erase its data remotely, this should be done immediately, to reduce the possibility that private information will fall into the wrong hands
Understand your legal rights
As a data subject, if you think your data has been abused or has not been kept secure, you should contact the organisation that holds it directly, enabling them to take appropriate responsive action. If you are unhappy with their response or you feel that further action is necessary to react to the breach, you should get in touch with the ICO.
If a company violated data privacy laws and you suffered as a result, you have the right to file a claim for compensation under the Data Protection Act 2018. Cases involving data breaches, however, are not usually simple when it comes to proving liability.
Do I qualify for compensation after a data breach?
In the event of a breach of sensitive data, the organisation responsible for controlling the data may be held accountable and required to pay compensation. This typically concerns the sharing of private data that is not already in the public domain – such as sensitive financial or medical information – and so you should speak to an expert solicitor about your circumstances to determine whether or not you have a viable case.
The ICO can investigate a data breach and attempt to determine who is legally at fault. Your compensation claim would be significantly strengthened by a favourable ICO decision that determines that the other party misused your data – although this is often a lengthy process.
To register a claim against an organisation for a data breach, you do not need to go through the ICO or wait for the outcome of its inquiry; you can do so directly with the infringing party, since they will be responsible for paying compensation and not the ICO.
Organisations might try to downplay their liability and their responsibilities to protect your data or withhold details about the nature of the breach. As such, consulting legal professionals with expertise in data breaches can ensure your legal rights are upheld and that there is a thorough investigation into your claim. Seeking the help of data breach specialists ensures that the proper legal action is taken and that compensation is paid when it is due.