We've been featured in:

How To Report A Data Breach To The ICO

By Stephen Hudson. Last Updated March 2024. If an organisation breaches your personal data, you could report the breach to the Information Commissioner’s Office (ICO). The ICO is an independent authority tasked with upholding data subject rights and freedoms. This article will explain how to report a data breach to the ICO.

The UK General Data Protection Regulation (UK GDPR) along with the Data Protection Act 2018 (DPA) are key pieces of data protection legislation. Under Article 33 of the UK GDPR, organisations must report certain data breaches to the ICO within 72 hours. Afterwards, the ICO may investigate the organisation and take action against them.

How to report a data breach to the ICO

In some cases, those affected by a data breach can claim compensation. You might have a valid reason to make a claim if you suffered stress due to the data breach or experienced financial harm. However, there are certain criteria your claim must meet, we will explore these in more detail throughout our guide.

Please contact us for more information on what to do after a data breach. To get in touch, you can:

Select A Section

  1. When Should You Report A Data Breach To The ICO?
  2. Who Should Report A Data Breach To The ICO?
  3. How Long Do You Have To Report A Data Breach To The ICO?
  4. How To Make A Personal Data Breach Claim
  5. How Much Could You Claim For A Data Breach?
  6. Data Breach Claims With A No Win No Fee Solicitor

When Should You Report A Data Breach To The ICO?

Before we look at when you should report a data breach to the ICO, it’s important to understand what a data breach is. A personal data breach is a security incident involving your personal data. This can include your personal information being lost, altered or destroyed in an accidental or unlawful way. It can also include your personal information being disclosed or accessed without authorisation.

There are various ways a personal data breach could occur. For example, human error could result in a data breach, such a when posting a letter containing personal data to the wrong postage address. Additionally, a data breach could happen because of deliberate actions, such as cybercriminals hacking into a company’s database to steal information, such as in the case of the British Library.

If a data breach occurs that could impact an individual’s rights and freedoms, then the organisation should report the personal data breach to the ICO within 72 hours. The organisation should also notify the data subjects that their data has been breached without undue delay.

The ICO has the power to investigate organisations that breach data protection and may issue a fine. Any communications between yourself and the ICO can be used as evidence to support your data breach claim. However, it is not necessary to report to the ICO in order to make a personal data breach claim.

Get in touch with our claims team for more information.

Who Should Report The Data Breach To The ICO?

The UK GDPR and the DPA require organisations to protect the personal data they process.

As such, the data controller or data processor should report the data breach to the ICO. A data controller makes decisions on the purpose for processing. Data processors might be appointed to act on behalf of a data controller.

However, you could also report a potential data breach involving your personal data to the ICO.

How Long Do I Have To Report A Data Breach To The ICO?

There are different time frames involved with reporting a personal data breach, such as:

  • As an organisation you have 72 hours to report a personal data breach to the ICO if it affects the rights and freedoms of a data subject
  • As an organisation you have to report a personal data to the data subject without undue delay. This is only if it affects their rights and freedoms.

Additionally, as someone who has been affected by the data breach, you could make a report or complaint directly to the organisation. If they have failed to respond at all or adequately, you could make complaint to the ICO.

The ICO may take appropriate action against the organisation. You must report a data breach to the ICO within three months of your last meaningful contact with the organisation. Otherwise, it may be too late for the ICO to take action.

Call our data breach claims team for free legal advice if your personal data was compromised in a breach.

How To Make A Personal Data Breach Claim

In order to make a personal data breach claim, you must demonstrate that:

  1. An organisation failed to comply with data protection legislation.
  2. Your personal data was compromised as a result.
  3. This led to you suffering psychological injuries, such as emotional distress or experiencing financial losses because of the personal data breach. You might have experienced both a mental health injury and financial harm.

Evidence that can be used to support a personal data breach claim includes:

  • Bank statements and financial information to prove any financial losses incurred.
  • The data breach notification the organisation sent you. This could be in the form of a letter or email.
  • Copies of communications between you and the organisation discussing the data breach, or communication between yourself and the ICO.
  • You can present medical records to prove your mental health injuries. For example, if you suffered from post traumatic stress disorder (PTSD) after the data breach, you could submit a copy of a report from your doctor.

To find out more about how to report a data breach to the ICO or discuss evidence you can provide in support of your claim, get in touch on the number above.

How Much Could You Claim For A Data Breach?

Two heads could form your data breach settlement. These are:

  • Material damage which is compensation for any money or assets you lost because of the personal data breach.
  • Non-material damage which provides compensation for any mental health injuries, such as emotional distress, anxiety or depression the personal data breach caused.

The compensation table has information from the Judicial College Guidelines (JCG). These guidelines used by legal professionals to help them assign value to the non-material damage head of claim.

Edit
Injury Comments Award
Mental Harm (a) Severe – Cases where the person has suffered a severe impact on their lifestyle and relationships. With poor chances of making a recovery. £54,830 to £115,730
Mental Harm (b) Moderately Severe – Cases where the person suffered significant harm to their lifestyle and relationships but where they have a more optimistic chance for recovering. £19,070 to £54,830
Mental Harm (c) Moderate – Whilst initially the case involved similar problems with the person’s ability to work and form relationships, there will have been a significant improvement. £5,860 to £19,070
Mental Harm (d) Less Severe – There will be consideration given to the extent of how badly the person has been affected. £1,540 to £5,860
Anxiety Disorder (a) Severe – The person suffers a severe impact from the anxiety disorder on all aspects of their life. They are not able to function at the same level as before the incident. £59,860 to £100,670
Anxiety Disorder (b) Moderately Severe – The person has a better prognosis because of help from a professional. £23,150 to £59,860
Anxiety Disorder (c) Moderate – The person will have largely recovered. If there are any ongoing issues, it won’t be majorly disabling. £8.180 to £23,150
Anxiety Disorder (d) Less Severe – Within a couple of years, a mostly full recovery will have taken place. £3,950 to £8,180

However, it’s important to note that if you win your claim, you may receive more or less compensation than you see in the table. This is because different factors are considered when calculating how much compensation you’re owed. If you call our helpline, an advisor can estimate how much you can claim.

Data Breach Claims With A No Win No Fee Solicitor

If you have reported a data breach to the ICO and have valid grounds to claim for it, then you could seek support from a solicitor. Our advisors are available to discuss potentially making a data breach claim. If they determine you have a strong case, they may connect you with one of our No Win No Fee solicitors.

One of our No Win No Fee solicitors may offer to support your personal data breach claim under a Conditional Fee Agreement (CFA). This means you won’t have to pay upfront or ongoing fees to your solicitor for their services. Also, you won’t need to pay your solicitor for the work they have provided if your claim proves to be unsuccessful.

If your claim succeeds, then the No Win No Fee solicitor who supported your claim can subtract a legally capped percentage from the compensation awarded to you. This is often called a success fee.

For more advice on claiming for a data breach with a No Win No Fee data breach solicitor, please get in touch with our advisors for free. To reach them, you can:

Learn More About Common Data Breach Claims

You may find these links and further guides helpful:

We hope this guide on how to report a data breach to the ICO has helped. If you have any further questions, get in touch on the number above.