This guide examines how long you have to report a data breach. We examine the process of reporting an organisation to the Information Commissioner’s Office (ICO) for failing to uphold their obligations under data protection legislation, namely the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018. As well as explaining the time limits for reporting a data breach, we also explain the limitation period for making a data breach claim and the criteria that need to be met for you to seek compensation.
The organisation that decides when and why your personal data will be processed is known as the data controller. They might outsource this task to an external organisation called a data processor, if they don’t process the information themselves. The individuals to whom the data relates are called data subjects. We use these terms throughout the guide. We also explain the kinds of personal data that could be affected in a data breach and the damage you could receive compensation for upon the success of your potential claim.
Towards the end of the guide we have provided details of the No Win No Fee contract offered by our highly experienced and dedicated data breach solicitors, with particular reference to the type of contract they can offer their legal services under.
You can speak to our advisors about the timescales to report a data breach incident using the contact information provided here. As well as answering any questions you might have, the team can offer a no cost assessment of your eligibility to start a data breach claim free of charge. Get in touch today using the following:
- Phone on 0800 073 8804.
- Begin your claim online by completing our web form.
- Click the live chat button at the bottom of the screen
Select A Section
- How Long You Have To Report A Data Breach
- How Do You Report A Data Breach To The ICO?
- What Personal Data Could Be Affected By A Breach?
- When Can You Claim For A Personal Data Breach?
- How Can Solicitors Help With No Win No Fee Data Breach Claims?
- Find Out More About How Long You Have To Report A Data Breach And Claim Compensation
How Long You Have To Report A Data Breach
A personal data breach is a security incident that results in the unauthorised disclosure, loss, alteration, accidental or unlawful destruction of, or access to, personal data. This definition encompasses both human error and deliberate action data breaches.
The ICO stipulates that as a data subject, you can make a complaint to them if you’re unhappy with how an organisation has handled yours or other people’s information. There are certain steps that you need to follow before doing so, including complaining directly to the organisation, asking for clarification from them if you are unsure of their response, and follow up with them if no response has been given after 30 days.
If you have carried out these actions and no response has been provided by the organisation, you can then submit your complaint. Typically, you must do this within three months of the last contact you had with the organisation in question. The ICO will then decide whether or not to open an investigation into the breach.
You can get further guidance on how long you have to report a data breach by speaking to an advisor. Get in touch with Legal Expert’s dedicated team today using the contact information provided above.
When Should An Organisation Report A Breach To The ICO?
Data controllers must report a serious breach that is considered high risk. This means it has the potential to put the rights and freedoms of data subjects at risk. The individuals affected must be notified by the data controller without undue delay.
Additionally, they must report a breach to the ICO within 72 hours of becoming aware of the breach and its likely consequences.
To find out more, call an advisor on the number above.
How Do You Report A Data Breach To The ICO?
Reporting a personal data breach to the ICO is a relatively straightforward process. We have broken down the steps of making a data protection complaint for you here:
- Raise your concerns directly with the organisation. As a data subject, you can voice your concerns to a data controller at any time. The ICO states you should give the data controller the opportunity to address your concerns before opening a formal complaint. This should be done via letter or email to ensure there is written proof of correspondence and contain all the details you want to address.
- Give the data controller 30 days to respond. You should stipulate this time frame in your complaint letter. If it appears no action has been taken, you can politely chase the data controller for a response.
- Ask for additional clarification or express your dissatisfaction with the response. Once the data controller has responded, you should ask for additional details on any matters you don’t understand or are unhappy with.
- Make a complaint to the ICO. If you are unable to resolve the issue with these steps or the data controller is not responding to your communications, you can raise a complaint to the ICO using their online complaints portal.
It is not a legal requirement that you first complain to the ICO before starting the data breach claims process. Our advisors can provide you with free legal advice as well as assess your eligibility to begin a compensation claim following a personal data breach. Get in touch today via the contact information given below.
What Personal Data Could Be Affected By A Breach?
Personal data is defined as any information that can be used to directly or indirectly identify a living individual. Examples of personal data that could be affected in a breach are your name, address, and contact details, such as a phone number or email address. Your banking details or credit card information are also considered personal data. A data breach that affects your financial information could result in significant monetary losses.
Article 9 of the UK GDPR also has provisions for special category data. This is personal data relating to topics deemed to be of a sensitive nature and therefore demanding more robust security measures. Examples of special category information include data regarding health, sexual orientation or an individual’s sex life. Other examples include data regarding religious, philosophical or religious beliefs or trade union membership.
What Impact Could Personal Data Breaches Have?
The potential negative consequences of a data breach are split into two types of damage. Material damage refers to financial loss caused by the data breach. For example, the theft of money from your accounts or purchases made using your cards and the resulting damage to your credit score this could have. This could occur if banking information is sent to the wrong person in a letter. Non-material damage means the psychological distress caused by a data breach, such as anxiety, distress, and post-traumatic stress disorder, in more severe cases. This could happen if sensitive information is sent to the wrong email address, for example.
Having personal data exposed, particularly if that data is of a sensitive nature, can be a deeply distressing time. Following the case of Vidal-Hall and others v Google Inc [2015], data subjects can claim compensation if they suffered stress due to a data breach, as well as various psychological injuries independently of financial losses. You can also claim for both together, if you suffered both as a result of a data breach incident.
You can learn more about the data that could be affected in a personal data breach, as well as how long you have to report a data breach, by talking to our advisory team. The contact information provided below can be used to reach us 24 hours a day.
When Can You Claim For A Personal Data Breach?
In order to claim for a personal data breach, you must prove the following:
- A data controller or processor failed to uphold their obligations as set out in the UK GDPR and DPA 2018. This is wrongful conduct.
- Your personal data was compromised in a breach as a result of this wrongful conduct.
- You suffered psychological harm and/or financial damage because of the personal data breach.
How Long Do You Have To Claim For A Data Breach?
A typical data breach claim is subject to a limitation period of six years. This means any data breach claim will need to be made within six years of you being notified of the breach occurring. The time limit is reduced to one year if you are making a data breach claim against a public body.
You can discuss how long you have to report a data breach and the claims limitation period in greater detail with one of our advisors. Talk to the team today using the provided contact information.
How Can Solicitors Help With No Win No Fee Data Breach Claims?
The specialist data breach solicitors at Legal Expert have years of experience in handling data breach claims. To find out if you’re eligible to work with one of our solicitors, contact our advisors for a free assessment. Once our team decide your potential claim is valid, one of our solicitors could offer their services under a Conditional Fee Agreement or CFA.
The CFA is a type of No Win No Fee contract where you would not need to pay the solicitor to start working on your case, or during the claim itself, in most circumstances. As “No Win No Fee” suggests, there will likewise be no cost to you for their work should the claim fail.
A successful data breach claim will award you a compensation payout for the damage you have suffered. Before the claims process gets underway, the solicitor will discuss their success fee with you and agree to a percentage. The success fee is payable to the solicitor from your compensation if they win the claim. As the maximum percentage that can be charged is capped, you will keep the majority of any compensation you receive for claims made under these terms.
You can find more guidance on data breach claims in general by browsing our guide answering frequently asked questions about data breach compensation claims. For more in depth guidance on how long you have to report a data breach or to find out if you are eligible to make a data breach claim, use the contact information provided here:
- Phone on 0800 073 8804.
- Begin your claim online by completing our web form.
- Click the live chat button at the bottom of the screen
Find Out More About How Long You Have To Report A Data Breach And Claim Compensation
You can browse some of our data breach claims guides on our website:
- Find out more about claiming data breach compensation with this guide.
- If you suspect that an unauthorised person has gained inappropriate access to medical records, you may be eligible to claim compensation
- Learn more about landlord data breach compensation claims with this guide.
We have also provided these links to some external websites for additional information:
- Read more about how you could make a complaint for a data protection violation on the Government website.
- Read more about the work of the National Cyber Security Centre and access guidance on a range of data protection topics on their website.
- You can access a range of mental health services, resources and support through the NHS.
Thank you for reading this guide on how long you have to report a data breach. For more advice on the time limits to report a data controller, contact our advisory team today. You can also find out if you have valid grounds to pursue a data breach claim. Our advisors are on hand 24 hours a day, 7 days a week via the contact information provided above.
