Data Breach Reporting

A data breach should be reported to the Information Commissioner’s Office by an organisation if it is likely to affect the rights and freedoms of individuals. All organisations in the UK, including government departments such as HMRC, should report data breaches to the ICO if they are deemed to put individuals at risk of damage, either financial or distress.

Find out more about how organisations should report data breaches and what individuals can do to report data breaches.

If you think you’ve been affected by a data breach and wish to report it, then get in touch with us for further guidance. We can help determine if you have been affected by a data breach and if you’re able to make a claim for compensation

Get in touch with us today if you think you’ve been affected by a data breach.

Get In Touch

What is a data breach report?

A data breach report is either a phone call or an online form submitted to the ICO by an organisation after a personal data breach has been discovered. Organisations are advised to report a data breach over the phone, unless phone lines are closed.

The ICO supplies a personal data breach reporting guide on their website to give organisations guidance on what information they should supply when reporting a personal data breach that they’ve discovered.

Who should I report a data breach to?

Data breaches should be reported to the Information Commissioner’s Office (ICO). The ICO is the regulatory body governing the protection of rights for individuals and has the power to fine organisations who fail to comply with the General Data Protection Regulations, which were enshrined in UK law with the Data Protection Act 2018.

The ICO can offer support to organisations and individuals in issues related to data breaches, but cannot claim compensation on anyone’s behalf.

For Individuals Affected By A Data Breach

What types of personal data breaches should I report?

You are free to report all kinds of data breaches to the ICO, if you wish, however, it’s important to note that they will only take action against organisations in the event that the data breach has put individuals at risk of damage (either financial or distress).

Types of personal data breaches that you should report include:

  • An unauthorised third party gaining access to your personal data
  • Disclosure of personal data by the data controller or processor
  • Your personal data being sent to someone else by mistake
  • Devices being lost or stolen that contain your personal data
  • Alteration of your personal data without your permission

How can I report a personal data breach?

You can report a personal data breach to the ICO by making a complaint. The ICO responds to everyone and also has a live chat and phone helpline to assist those who have been affected by a data breach. Whilst the ICO can give you advice and are able to take action against the organisation, they aren’t able to claim compensation on your behalf. Talk to a solicitor who specialised in data breach claims in order to see if you are eligible for compensation.

How long do I have to report a data breach?

You have six years from the breach taking place to report a personal data breach with a view to claiming compensation for damages caused by it. This means that even if you’ve only just become aware of a data breach that happened up to 6 years ago, you should still be able to claim compensation, as long as you can prove that you have suffered distress or financial loss as a result.

Can I claim compensation for a data breach?

You may be able to claim compensation for a data breach if it can be proved that you have suffered, either financial or distress, as a result of the breach. Read up on other examples of data breaches to see if your case is similar, or to get a more direct answer, get in touch with a team of specialist data breach solicitors and get guidance on your personal data breach. They’ll be able to tell you if you’ve got a claim and how best to proceed.

For Organisations Who Have Discovered A Data Breach

What types of personal data breaches should be reported to the ICO?

Not all types of personal data breach need to be reported to the ICO by an organisation, however, the GDPR does require all organisations to keep a record of all breaches that take place. Examples of data breaches that organisations should report to the ICO are any that may pose a risk to the rights and natural freedoms of individuals.

This means that any breach which might lead to an individual being at risk of economical or social damage (such as discrimination), reputational damage or financial losses, should be reported to the ICO. It’s up to the organisation to make this evaluation themselves, however, they can contact the ICO for advice on the matter, without having to make a full report.

When must data breaches involving personal data be reported to the ICO?

Data breaches involving personal data should be reported to the ICO within 72 hours of the breach being discovered, as stated in the Data Protection Act 2018:

“(1) If a controller becomes aware of a personal data breach in relation to personal data for which the controller is responsible, the controller must notify the breach to the Commissioner—

(a) without undue delay, and

(b) where feasible, not later than 72 hours after becoming aware of it.”

Note that this doesn’t apply if the personal data breach is ‘unlikely to result in

a risk to the rights and freedoms of individuals’. If an organisation takes longer than 72 hours to notify the ICO then the notification should include reasons for the delay. The law does, however, make allowances for organisations unable to deliver all the required information within the timeframe. The ICO accepts a phased approach to information being delivered, as long as this is still done as soon as possible.

How do organisations report personal data breaches?

Organisations should report data breaches by calling the ICO if they have deemed the breach to potentially put individuals rights or freedoms at risk. Prepare for the phone call by ensuring that you have as much of the following information to hand as possible:

  • what has happened;
  • when and how you found out about the breach;
  • the people that have been or may be affected by the breach;
  • what you are doing as a result of the breach; and
  • who the ICO should contact if they need more information and who else you have told.

There is also a form that you can download, fill in and email to the ICO, in the eventuality that you believe you have dealt with the breach appropriately, or if you don’t have a complete set of information to give over the phone. Phone lines are open between 9am-5pm Monday to Friday, so sending the form via email is the only way to report a data breach outside of opening hours.

What happens after an organisation reports a data breach?

What happens after an organisation reports to a data breach will depend on what type of breach has been reported and to what extent regulatory action is required. In some eventualities, the ICO could determine that no individuals have been put at risk as a result of the data breach and may just advise the organisation on how to avoid such a breach in the future. They may also use the information submitted to help identify prevailing trends in data security.

In the case of serious data breaches that put individuals at risk, the ICO may use the information that an organisation provides in their data breach report to take regulatory action against them, such as fines. Depending on the breach, the ICO may have to share it with law or cybercrime agencies, or the Financial Conduct Authority. If the breach affects people in other countries, then they may also contact the relevant authority in those countries.

When should organisations notify victims of a breach of their personal data?

Organisations should notify victims of a breach of their personal data ‘without undue delay’, in the case that the likely result of the breach is a high risk to the rights and freedoms of the victim.

How should victims be notified of a personal data breach?

Victims of personal data breaches should be notified with the following information:

  • a description of the nature of the breach;
  • the name and contact details of the data protection officer or other
  • contact point from whom more information can be obtained;
  • a description of the likely consequences of the personal data breach;
  • a description of the measures taken or proposed to be taken by the
  • controller to address the personal data breach, including, where
  • appropriate, measures to mitigate its possible adverse effects.

Note that the organisation does not have to notify the victim of the data breach in the event that appropriate technological protection measures (such as data encryption) have been applied to the personal data – rendering it meaningless to unauthorised individuals.

Similarly, notification is not required if the organisation has taken subsequent measures to ensure that the high risk to individuals’ no longer materialises, or the act of notifying would involve a disproportionate effort. In the latter case, a notification can be made via public communication in order to inform the data subjects affected.

What happens if an organisation fails to report a data breach?

Organisations that fail to report a data breach, either within the 72-hour window or altogether, may be fined to a greater extent or liable to pay more compensation to those individuals affected by the breach.

The longer that a data breach goes unreported, the longer individuals affected are left at risk of damage, so it follows that victims should be entitled to more compensation in circumstances where there is a failure to notify them.

Similarly, notification of data breaches to the ICO is enshrined in law, in the Data Protection Act 2018, failing to comply put organisations in direct violation of this.

About Data Breach Help

Ran by Cobleys Solicitors – one of the leading law firms in the UK – we have experienced solicitors that specialise in all aspects of data breach law. Wealthy in experience and knowledge, we have a proven history of assisting clients in claiming compensation from private and public organisations that have failed to protect their data.

If you think you’ve been affected by a data breach and wish to report it, then get in touch with us for further guidance. We can help determine if you have been affected by a data breach and if you’re able to make a claim for compensation.

FAQs

How can I report a company for breach of data protection?

Report a company for breach of data protection by making a complaint to the ICO. In cases where your personal data has not been affected by the breach, you can make a complaint to the ICO and trust them to look further into the case. In cases where your personal data has been affected, but the organisation responsible has yet to inform the ICO or yourself, then you may wish to contact a data breach solicitor to help guide you through the process of reporting. 

Do all data breaches need to be reported?

Not all data breaches need to be reported. Data breaches that do not lead to a risk of individuals’ rights or freedoms do not need to be reported to the ICO. In low-risk cases, or cases where the organisation has mitigated the risk with the use of data encryption, the organisation will not even have to inform the data breach victims. 

For example, in the event that an employee of a financial business accidentally sends personal data of a client to a fellow employee, the organisation will not have to report the breach to the ICO or the subject of the breach. In this case, both employees are bound by the same data security measures and the recipient of the data will delete it according to protocol. Although a data breach has taken place, the subjects’ information has not been put at risk.

How do you report data breaches in your workplace?

Reporting a data breach in the workplace should be done by the appointed Data Control Officer. If your organisation does not have a Data Control Officer, then you may need to discuss the breach with a manager before this information is reported to the ICO.

If you have been the victim of a data breach that has occurred in your workplace, then you may be able to claim compensation as a result. For example, if personal data such as your salary, or other sensitive information, has been disclosed in the workplace then you may have suffered distress as a result. You may be able to claim compensation from this breach of data, even if you haven’t financially suffered.