UK: Did you know you can claim compensation if your data has been breached?

Not all breaches are caused by criminals exploiting security vulnerabilities of companies. Sometimes, people’s info is exposed on the web when an employee of the company mishandles it or inadvertently leaves it unprotected.

If a company fails to protect your personal information and it ends up in the wrong hands, you could receive money as compensation. This is especially true if the breach was by an organization with whom you have a contract or agreement.

The GDPR gives you the right to claim compensation from an organisation if you have suffered “material damage” (e.g. you have lost money) or “non-material damage” (e.g. you have suffered distress) due to its violation of data protection law.

You can claim compensation for financial loss, emotional distress, or both.

The Information Commissioner’s Office – ICO – the UK’s independent overseeing organisation tasked with enforcing data protection laws, can help you with an assessment, advice, and information about how to do it. The ICO also opens official investigations and fines organisations found to have breached data protection laws. For example, in 2021, HIV Scotland was fined £10,000 for incorrect use of BCC in an email containing personal data, in which the email addresses of 105 patient advocates were revealed through incorrect use of BCC, including 65 identified them by name.

The steps ICO recommends you take if an organisation exposes your data:

• Reach out to the company that mishandled your info. The ICO provides a template letter. Wait 30 days for them to respond, and ask for clarification if they give you a response you do not understand.
• If the company refuses to respond to you, you can complain to the ICO. You should do this within three months of your last contact with the organisation. A case officer will weigh up the facts of what’s happened and tell you what they think should happen next.
• You can claim compensation from an organisation if you have suffered damage as a result of it breaking data protection law, and the organisation may agree to pay it to you.
• If they do not agree to pay, your next step is to take your case to court. The ICO provides a guide with helpful information you should know before deciding to take your case to court.
• Get a lawyer for legal advice on the strength of your case before taking any claim to court because the ICO cannot give you legal assistance, nor can it award you compensation. For example, you could contact Public Interest Lawyers for free legal advice, and no obligation to proceed further if you don’t want.

How to check if your personal info is exposed

Data breaches frequently expose personal information such as credit cards, bank details or other financial information, ID/ passport numbers, driver’s license information, home addresses, phone numbers, medical records, and more.

Searching online for this information about yourself is time-consuming and inefficient. It’s unrealistic to think someone will happily set up a day per week in the calendar to look for potentially breached personal data.

Instead, you could use a monitoring service, such as Digital Identity Protection, specially created for detecting your exposed information on the web, as well as in places you cannot easily get on your own – such as the Dark Web.

Digital Identity Protection only needs your email address and phone number to crawl data leaked from breaches to see if your information was exposed.

You get:

• A full list of organizations that revealed your details and what type of personal information was exposed - in other words, your breach history.
• Alerts when you are involved in a new breach
• Continuous monitoring of your personal data (email, passwords, credit cards)
• A 360-degree overview of your digital footprint
• Recommended steps to take for each of your accounts exposed in a data breach.

Should you find such a service helpful, check out Digital Identity Protection.