Who Is Legally Liable For A Data Breach?

Who is legally liable for a data breach depends on a number of factors, such as whether or not they failed to adhere to data protection laws. Two different laws have recently been introduced to protect personal data: the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (UK GDPR). Stated within these laws are two main entities, data controllers and data processors. These are the two parties that could be liable should a personal data breach occur. 

However, as you read through this guide, you will see the criteria that must be satisfied in order for you to make a personal data breach claim, who could be liable for a data breach and when you have the right to be informed.

If you have an eligible personal data breach claim, you may want to know how much compensation you could be awarded should your case be successful and for that reason, we have provided a compensation table and a section looking at what your settlement can include.

Additionally, in the penultimate section, we discuss how you could instruct one of our expert data breach solicitors under a No Win No Fee Agreement. 

Our No Win No Fee solicitors have years of experience and can help make the data breach claims process a lot easier for you as the claimant. So, to see whether you can be connected to our solicitors and begin a compensation claim, speak with our advisors today:

'Data Breach' written in a blue electronic circle on a black background.

Jump To A Section 

  1. Who Is Legally Liable For A Data Breach?
  2. Could An Individual Be Liable Under The UK GDPR?
  3. When Should You Be Told Of The Breach?
  4. What Could You Claim Against A Liable Party?
  5. Could Accident Claims UK Help Me On A No Win No Fee Basis?
  6. Find Out More About Who Is Legally Liable For A Data Breach

Who Is Legally Liable For A Data Breach?

Data controllers generally are organisations responsible for determining how and why your personal information will be processed. These can include your employer, your bank, a hospital, online companies, or any entity that processes your personal data. Data controllers can either process the data in-house or outsource this to a data processor. Data processors are responsible for processing your personal information according to the data controller’s instructions. 

Personal data is defined as any information that can be used to identify a person, such as your name, address, or National Insurance number. It can also include sensitive data, such as personal information relating to your religious belief, ethnicity, or political affiliation, which needs extra protection. The two data protection legislations state that data controllers and processors are responsible for safely storing, processing, and handling personal information. 

If a data controller or processor fails to comply with data protection laws and this leads to a data breach in which your personal data is compromised, they could be liable for the breach.

It is Article 82 of the UK GDPR that sets out the criteria for which would allow you, the data, subject, the right to seek data breach compensation. The criteria are as follows: 

  • For the data controller or processor to be liable, they must have failed to abide by data protection law,
  • This led to a breach that compromised your personal data,
  • You suffered mental or financial harm because your personal data was involved in the breach.

Article 4 of the UK GDPR defines a personal data breach as a data security incident which leads to the alteration, loss, destruction, access to, or unauthorised disclosure of personal information, whether accidentally or unlawfully.  

So, if you have suffered emotional damage and/or financial losses due to a personal data breach, contact our advisors. After discussing your circumstances with them, you could be passed on to one of our data breach solicitors. 

Could An Individual Be Liable Under The UK GDPR?

Data controllers are not always organisations. They may be companies or other types of legal entities, like a public authority or incorporated association. They may also be individuals, like sole traders, self-employed professionals (e.g., barristers), or unincorporated partnerships. 

The above entities can be liable for a data breach since the UK GDPR considers them as data controllers. 

However, an individual who processes personal data for purely personal purposes or household activities isn’t subject to the UK GDPR.

For more information about who is legally liable for a data breach, please get in touch with our advisors. 

When Should You Be Told Of The Breach?

If your rights and freedoms have been risked by a data breach, the data controller has a duty to notify you of the breach without undue delay. Thus, a letter of notification should be sent to you that details what personal information was exposed and what steps the data controller is going to take to rectify the situation. It is recommended that you keep hold of this letter as evidence. 

The data controller or processor also has a duty to inform the Information Commissioner’s Office (ICO), the independent public body set up to protect UK residents’ data rights, about a serious data breach or security breaches within 72 hours of learning that the data breach occurred. The ICO is an independent body within the UK that upholds information rights. 

You can also contact the ICO if you are not satisfied with the data controller’s communication. You must contact the ICO within 3 months of the latest meaningful communication you had with the data controller. 

Talk to our team for more information about the data breach claims process. 

Zoom in of a keyboard on a laptop with 'data breaches and reporting' written underneath the space bar.

What Could You Claim Against A Liable Party?

Against a liable party, you could receive compensation for up to two types of damage in a successful data breach claim – material and non-material damage. You can claim for each type of damage individually or both together. 

Non-material damage is the psychological impact of a personal data breach. Post-Traumatic Stress Disorder, depression, anxiety, and distress are all forms of psychological impacts that could be compensated for. 

You may be invited to have an independent medical assessment during the data breach claims process. The report conducted from this assessment can be used to help calculate your non-material damage. The guidelines from the Judicial College (JCG) can also be used to help calculate your non-material damage. The JCG contains varying guideline compensation values for different types of physical and psychological injuries and illnesses. 

Guideline Compensation Table

The table below includes different psychological injuries and illnesses and their accompanying guideline compensation values from the JCG (except the top line). Please refer to this table only as guidance since no compensation value can ever be guaranteed. 

InjurySeverityGuideline compensation bracketsNotes
Very serious mental harm with financial losses and costs. Very SeriousUp to £250,000+Compensation for very serious mental injury and subsequent significant financial impacts such as missed wages.
Psychiatric damageSevere (a)£54,830 to £115,730All aspects of the person's life, such as relationships with family members and coping with employment, will have marked problems. The prognosis will also be very poor.
Moderately severe (b)£19,070 to £54,830All aspects of the person's life, such as the above, will have significant problems. However, the prognosis will be more optimistic.
Moderate (c)£5,860 to £19,070While all aspects of the personal's life, such as the above, will have problems, the prognosis will be good due to a marked improvement by trial.
Less severe (d)£1,540 to £5,860The length of the period of disability will be taken into consideration as well as to what extent daily activities and sleep are affected.
Post-Traumatic Stress DisorderSevere (a)£59,860 to £100,670The person will be unable to function at anything similar to the pre-trauma level or work at all. Their affects will also be permanent.
Moderately severe (b)£23,150 to £59,860Due to recovery from some help, the prognosis will be better than the above. However, the effects will still last for the foreseeable future.
Moderate (c)£8,180 to £23,150Any continuing effects will not be grossly disabling as the person will have largely recovered.
Less severe (d)£3,950 to £8,180A near full recovery within 1-2 years with only minor symptoms persisting any longer.

Material Damage

Material damage is the financial loss caused by a personal data breach. Types of financial losses that you could suffer following a breach of your personal information include loss of earnings (from needing time off work due to your non-material damage), money stolen from your bank account if your bank details were exposed, or loans taken out in your name due to identity theft.

You will need to provide evidence of your material damage. For example, bank statements and payslips.

To learn more about how much compensation you could potentially receive after suffering from a personal data breach, speak with our advisors today. 

Could Accident Claims UK Help Me On A No Win No Fee Basis?  v

If you have an eligible data breach claim, we could help you claim compensation on a No Win No Fee basis. There is a specific type of No Win No Fee arrangement which our solicitors can represent you under called a Conditional Fee Agreement CFA. 

Conditional Fee Agreements are beneficial mainly because you will not need to pay the charges for your solicitor’s work:

  • Before the claims process. 
  • Throughout the claims process. 
  • If your data breach claim does not succeed.  

Instead, if your data breach claim does succeed, a success fee will be taken away from your compensation. A success fee is a percentage and not a fixed number. The Conditional Fee Agreements Order 2013 caps the maximum percentage that solicitors can take. This cap ensures that you receive the majority of the compensation.

Contact Us

Contact us today if you are suffering emotional impacts or financial losses due to your personal information being breached. You can talk with our advisors about potentially claiming data breach compensation and possibly receiving the benefits of our expert No Win No Fee solicitors. Here are our contact details, which are free to use 24/7:

A data breach word cloud with a magnifying glass over the the word 'data breach' written in red in the middle.

Find Out More About Who Is Legally Liable For A Data Breach

Find out more about data breach compensation claims by browsing our similar published guides here:

Alternatively, you might find these external resources useful:

Hopefully, this guide about who is legally liable for a data breach has been helpful. Please don’t hesitate to reach out to our team if you have any queries or want advice and support.