Is Revealing My Phone Number A Breach Of The UK GDPR?

Data protection laws such as the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (GDPR) outline an organisation’s responsibility to protect your personal data. The Information Commissioner’s Office also sets out the responsibility data controllers, those who process your personal data, have to do to protect a data subject’s rights and freedoms. In this guide, we will explore whether a data controller or data processor revealing your phone number is a breach of the UK GDPR.

revealing phone number breach of the UK GDPR

Revealing phone number breach of the UK GDPR guide

A data controller has overall control over the purposes and means of processing personal data. A data processor acts on behalf of the data controller based on the instructions they are given by the controller.

You may be concerned about whether an organisation revealing your phone number is a breach of your data rights. If so, this guide could help by providing information on your rights as a data subject and examples of how an organisation could have breached data protection law.

This guide will also explore whether you’re eligible to seek compensation for any financial damage or psychological harm caused by a breach of your personal data.

If you have any questions regarding your potential data breach claim, please get in touch with our team on the following details:

  • Phone number0800 073 8801
  • Live chat – Speak with an advisor using the feature below
  • Online – You can fill out our online contact form with your query.

Select A Section

  1. What Is The UK GDPR?
  2. What Personal Data Is Protected By The UK GDPR?
  3. Is Revealing My Phone Number A Breach Of The UK GDPR?
  4. How Long After Your Phone Number Being Revealed Could You Claim?
  5. What Could Be Claimed After Revealing A Phone Number As A Breach Of The UK GDPR?
  6. Contact Us About Whether Revealing Your Phone Number Is A Breach Of UK GDPR

What Is The UK GDPR?

The UK GDPR is a piece of legislation that sits alongside a version of the DPA that was updated after the UK left the European Union. It applies to organisations that process UK residents’ personal data. The DPA works with the UK GDPR to ensure that personal data is protected. 

Data controllers must comply with the seven principles outlined in Article 5 of the UK GDPR. As per the principles, data controllers must:

  • Process personal data in a lawful, fair and transparent way
  • Have appropriate security measures in place for processing personal data
  • Collect for specified, explicit and legitimate purposes
  • Ensure the personal data they hold is accurate
  • Only store personal data for the time it’s needed
  • Ensure that the personal data they are processing is adequate, relevant and limited to what is necessary
  • Take responsibility for how they use personal data and ensure they comply with the other principles

The UK GDPR also outlines your rights as a data subject. These rights include being able to make a personal data breach claim if a data controller fails to implement data security laws which leads to your personal information being involved in a breach and you are caused harm as a result. 

In some cases, an organisation may have failed to uphold the principles set out in the UK GDPR. If so, call our team to find out the steps you could take. They could also provide further information on whether an organisation revealing your phone number is a breach of the UK GDPR.

What Personal Data Is Protected By The UK GDPR?

Personal data is any form of information that relates to an identified or identifiable person. This includes data that can be used to identify someone directly or data that can be used to identify someone from information that is processed alongside other information. Examples of this information include:

  • Name 
  • Address
  • Email address 
  • IP address 
  • Phone number

In addition, there are certain personal data that require more protection. As per Article 9 of the UK GDPR, this is defined as special category data which covers personal data that relates to a person’s: 

  • Racial or ethnic origin
  • Religious beliefs
  • Political opinions
  • Health
  • Trade union membership
  • Sexual orientation

In some cases, an organisation revealing your phone number may be a breach of the UK GDPR. We have explored what this means in further detail in the section below. Alternatively, you can call our team to find out more.

Is Revealing My Phone Number A Breach Of The UK GDPR?

A security incident where personal data is altered, lost, destroyed, accessed or disclosed accidentally or unlawfully is considered a personal data breach. 

For that reason, there are cases where an organisation revealing your phone number is a breach of the UK GDPR. For instance, a member of staff may have sent an email to the wrong email address containing your personal information, including your mobile phone number.

In this instance, if this caused you to experience financial losses or psychological harm you may be able to seek compensation for the suffering you have experienced.

However, not all instances of your phone number being shared will lead to a claim. For instance, the organisation may have had a lawful basis for processing it. 

Organisations processing your personal data should do so on a lawful basis. There are six lawful bases for processing, including:

  • Consent
  • Contract
  • Legal obligation
  • Vital interests 
  • Public task
  • Legitimate interests

As such, the organisation may have shared or revealed your phone number lawfully. To find out more, call our team.

How Common Are Breaches Of The UK GDPR?

According to statistics provided by the Information Commissioner’s Office (ICO), there were 2,172 data security incidents during the most recent quarter of 2021/22.

Of these, 1,696 were non-cyber security incidents and 476 were cyber security incidents.

How Long After Your Phone Number Being Revealed Could You Claim?

Time limits for starting a personal data breach claim are usually 6 years. Alternatively, in cases where you’re claiming against a public body, you will have 1 year. 

For more information on time limits and how they could affect your claim, talk with one of our advisors today. 

What Could Be Claimed After Revealing A Phone Number As A Breach Of The UK GDPR?

If you’re eligible to claim due to an organisation being in breach of the UK GDPR and revealing your phone number, you may wish to understand how compensation for a data breach is calculated.

Data breach compensation can comprise two heads of loss:

  • Material damages: This head of loss compensates for the financial losses you have experienced as a result of the personal data breach. You would need to provide evidence of any losses such as bank statements and credit card statements. 
  • Non-material damages: This head of loss relates to the compensation awarded for the psychological injury sustained as a result of the breach of your personal data. 

In order to calculate how much you’re owed for any psychological damage, legal professionals may consult guidelines created by the Judicial College. The guidelines set out bracket compensation amounts corresponding to a variety of injuries at differing levels of severity.

The figures shown in the table are from the latest edition of the guidelines, published in April 2022. Please only use these as a guide because you’re actual settlement will differ.

Psychological InjuriesCompensation brackets Injury description
Severe PTSD£59,860 to £100,670The person will experience a severe impact on all aspects of their life.
Severe Psychiatric Damage£54,830 to £115,730There is a significant impact on the person’s daily life, including their work and education.
Moderately Severe PTSD£23,150 to £59,860The person will have a prognosis that is better due to receiving professional help.
Moderately Severe Psychiatric Damage£19,070 to £54,830The person will still experience significant issues but the prognosis is better than in more severe cases.
Moderate PTSD£8,180 to £23,150The person will have mostly recovered, although there are some lingering effects that aren't hugely disabling.
Moderate Psychiatric Damage£5,860 to £19,070The person will have made a huge improvement and have a good prognosis.
Less Severe PTSD£3,950 to £8,180The person will have made a mostly full recovery within a couple of years.
Less Severe Psychiatric Damage£1,540 to £5,860The award given will depend on several factors, such as how long the person was impacted.

Contact Us About Whether Revealing Your Phone Number Is A Breach Of The UK GDPR

If you’d like to discuss launching your potential claim, our team could help. They could discuss the option of having one of our data breach solicitors represent your claim on a No Win No Fee basis. As such, they could operate under a Conditional Fee Agreement (CFA) meaning you won’t have to pay an upfront cost for their services.

Additionally, you won’t have to pay a success fee if your claim fails. If your claim is successful, you would need to pay the success fee in the form of a percentage from your compensation. However, this is subject to a legal cap.

Alternatively, an advisor can provide further information on whether an organisation revealing your phone number is a breach of the UK GDPR.

For more information, get in touch using the following details:

  • Phone number0800 073 8801
  • Live chat – Speak with an advisor using the feature below
  • Online – You can fill out our online contact form with your query.

Personal Data Breach Resources

We have collected a range of internal and external resources that could be useful for you to read through.

If you require any additional information on whether revealing your phone number is a breach of the UK GDPR, contact us today.

Guide by LW

Edited by MM/MMI