A Law Firm Has Shared My Personal Data – Can I Claim Compensation?

If a law firm has shared your personal data without having a valid and legal reason this could be classed as a data breach. After explaining what a personal data breach entails, the guide explores the data protection laws that apply to data controllers such as law firms. A data controller is generally an organisation or company that says how and why personal data should be processed. It also discusses your rights as a data subject and helps you understand if you may have grounds to pursue a personal data breach claim.


A law firm has shared my personal data, can I claim?

Furthermore, we give examples of compensation amounts and provide a compensation calculator table to help you estimate what you could potentially receive.

The benefit of a No Win No Fee solicitors service is described while listing other resources to help you understand how to make a personal data breach claim against a law firm. If you reach out to us, our advisors can give free legal advice and provide guidance surrounding your claim. If your claim is valid, our No Win No Fee expert data breach solicitors may offer to take on your case. Contact us today if a law firm has shared your personal data in a data breach:

Select A Section

  1. Does The UK GDPR Apply To Law Firms?
  2. Processing And Controlling Your Data
  3. What Are Your Rights As A Data Subject?
  4. When Could A Law Firm Have Shared Your Personal Data Without Consent?
  5. What Could I Claim If A Law Firm Has Shared My Personal Data?
  6. Contact Us To Make A Data Breach Claim Against A Law Firm

Does The UK GDPR Apply To Law Firms?

A law firm may hold data that can be used to identify you, or personal data, so long as they have a lawful basis to do so. Organisations are obligated by law to handle personal data carefully and prevent it from being accessed by unauthorised parties. 

A personal data breach is a security incident whereby personal data is disclosed, altered, destroyed, lost, stolen or accessed in an unauthorised way. This can be done through human error through an accident or by deliberate actions. A personal data breach can cause stress or go on to cause emotional injuries. It could also result in financial losses if the personal data is used for unauthorised financial transactions.

The UK General Data Protection Regulation UK GDPR and the Data Protection Act 2018 are the two main pieces of legislation used to protect personal data in this country. Solicitors are not exempt from the UK GDPR and data protection laws. If you suffered psychological or financial harm because your personal data was breached by a law firm due to their failure to comply with data protection law, you may be able to claim. 

The data protection governing body, the Information Commissioner’s Office (ICO) may then impose a fine on that organisation. The fines imposed by the ICO do not remove your rights to make a personal data breach claim. Generally speaking, you have 6 years or 1 year if it’s a public body, to claim for damages. 

If a law firm has shared your personal data in a breach they are responsible for and this has caused you harm call our claims team for a free case assessment.

Processing And Controlling Your Data

A law firm interacts with your personal data as a data controller.

Data controllers decide why and when personal data should be processed. They are the decision-makers and exercise overall control over the reasons to process personal data.

Data processors on the other hand are agencies that process data on behalf of the data controller. They carry out the processing of the data under specific instructions of the controller.

Both data controllers and processors are subject to the UK GDPR and DPA.

UK GDPR – How A Law Firm Should Use Your Personal Data

GDPR Principles solicitors need to abide by in a law firm while using personal data include:

  • A law firm should not only have a legal basis but should also process personal data fairly and openly.
  • Protect information against accidental loss, damage, unauthorised access and unlawful processing.
  • Information should not be kept for longer than necessary.
  • Keep information accurate and up to date.
  • Data processing should be limited to only what is necessary.
  • Information should be processed for explicitly specified purposes.

What Are Your Rights As A Data Subject?  

The ICO provides guidance on the data protection rights of data subjects.  A data subject is a living individual who is identified or can be identified by their personal data. The following are rights data subjects have over their personal data:

  • the right to data being erased or forgotten in certain circumstances
  • the right to complain to the Information Commissioner
  • rights to correct inaccurate personal data or to complete it if it’s incomplete
  • right to be informed on the collection of personal data and how it may be used
  • the right to object to using their personal data
  • right to withdraw consent 
  • the right to access personal data

If a law frim has shared your personal data in a data breach why not call our team to see what your next steps could be.

When Could A Law Firm Have Shared Your Personal Data Without Consent?

A law firm must have a lawful basis in order to process your personal data. Although obtaining consent is one of the lawful bases, other lawful bases exist which authorise a law firm to have shared your personal data without consent. This means that there are situations in which a law firm may rely on another lawful basis to share your personal data without obtaining express or new consent to do so. 

For instance, a law firm may use ‘legal obligation’ as a lawful basis to share your personal data with a law court. This applies when a law firm shares your personal data to comply with a court order.

Another instance is when a law firm uses the lawful basis of ‘contract’ to process your personal data with solicitors. This can apply if you hired them to deliver a service under contract and it is necessary to complete the service. 

A law firm has to rely on any of the following lawful bases to process your personal data:

  • Vital interests
  • Consent
  • Legal Obligation
  • Legitimate interest
  • Public task
  • Contract

Under certain circumstances, an organisation may need your consent to use your personal data. When the law firm wants to use ‘consent’ as a reason to process or share your personal data, then it needs to ask for your permission. 

What Could I Claim If A Law Firm Has Shared My Personal Data?

A personal data breach incident can impact your life negatively in many ways. However, you may be able to recover some of your losses through a data breach compensation claim. To be eligible to make a personal data breach claim you must show how the data controller or processor failed in their obligation to comply with data security laws, how this led to personal information being breached and also how this caused you harm.

Your personal data breach claim may comprise material damages and non-material damages.

Material damages help recover financial losses incurred as a result of the personal data breach. For instance, in a credit card data breach, your personal data may have been used for unauthorised financial transactions that caused you financial loss. In this case, you may be able to claim back your lost funds under material damages.

Non-material damages compensate for psychological injuries suffered due to the personal data breach. The case of Vidal-Hall and others v Google Inc [2015] – Court of Appeal, set a precedence which allows you to claim compensation for mental injuries in the absence of financial loss.

Data Breach Compensation Calculator

Solicitors may use compensation amounts from the Judicial College Guidelines (JCG) to assist them in valuing claims. These figures are used more commonly in personal injury compensation claims, such as an accident at work claim. They are used to value compensation amounts for psychological injuries. The figures below are from the 2022 edition of the JCG.

InjurySeverityNotes Amounts
Psychiatric Damage(a)

Marked problems with ability to to cope with life.
£54,830 to £115,730
Psychiatric Damage(b)
Moderately Severe

Significant problems with ability to cope with life£19,070 to £54,830
Psychiatric Damage(c)

Marked improvement in ability to cope with life£5,860 to £19,070
Psychiatric Damage(d)
Less Severe

Length of the period of problems and the extent to which daily activities were impaired£1,540 to £5,860
Post-Traumatic Stress Disorder (PTSD)(a)

Permanent effects which prevent the injured person from working£59,860 to £100,670
Moderately Severe

Some recovery with professional help£23,150 to £59,860

Largely recovered£8,180 to £23,150
Less Severe

Virtually fully recovered£3,950 to £8,180

Contact Us To Make A Data Breach Claim Against A Law Firm

If you have decided to make a data breach claim because a law firm has shared your personal data in a data breach they are responsible for, our advisors are able to give you free legal advice. They are also able to connect you to our solicitors, who can help you claim compensation for a personal data breach in the UK.  

Our solicitors are able to represent you on a No Win No Fee basis, for example, through a Conditional Fee Agreement (CFA). This presents a more cost-effective way to access legal representation, as you only need to pay a solicitor’s fee if your claim succeeds.

A small percentage of your personal data breach compensation payout will cover the solicitor’s success fee. This percentage is capped by law so that you retain the majority of your compensation. Contact our advisors now to find out how a Conditional Fee Agreement could benefit you.

If you need some support with your claim, do not hesitate to reach us through any of these means:

Related Guides On Data Breach Compensation 

External resources to learn more about personal data breaches

Gov.UK Guide – Cyber Security Breaches Survey 2022

Taking Your Case To Court And Claiming Compensation – ICO Guide 

ICO Guide – Data Security Incident Trends

Learn more from our other guides

What Are My Rights After A Solicitors Data Breach

Social Services Data Breach – Can I Claim Compensation Guide 

What Are My Rights After A School Data Breach

If a law firm has shared your personal data in a data breach and this has caused you harm please call our claims team to see if you can make a personal data breach claim.