How Do You Report A Data Breach To The ICO?

If your personal data has been compromised in a personal data breach, you may be wondering how to report a data breach to the ICO. The Information Commissioner’s Office (ICO) is the UK’s independent body set up to uphold information rights and tasked with upholding data protection law and standards in the UK.

report-a-data-breach-to-the-ico

How to report a data breach to the ICO guide

This guide will explain how and when you should report a personal data breach to the ICO, along with explaining who is eligible to make a personal data breach claim. We will also look at the time limits connected with making a personal data breach claim, and how one of our experienced personal data breach solicitors could help you.

When a data controller or data processor fails to safeguard your personal data, this can cause considerable financial and mental harm. If you have suffered financial harm or a psychological injury as a result of a personal data breach, you may be able to make a claim.

To start your claim, contact our advisors today by:

Select A Section

  1. When To Report A Data Breach To The ICO
  2. How Long After A Data Breach Should The ICO Be Notified?
  3. Who Can Report A Data Breach To The ICO?
  4. How To Notify The ICO Of A Data Protection Breach
  5. What Could I Claim After A Data Breach?
  6. Make A No Win No Fee Data Breach Claim

When To Report A Data Breach To The ICO?

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA) are the two leading pieces of legislation protecting personal data in the UK. If an organisation fails to adequately protect your personal data, and you suffer harm as a result, you may be eligible to make a claim. 

A personal data breach is a security incident that alters the security, integrity, or availability of your personal data. For example, if your personal data is shared with an unauthorised party, or a device or folder containing documents that hold personal data are lost. There are six lawful bases for the processing of personal data, including consent.

Personal data refers to any data that could identify you, including your:

  • Name
  • Date of birth
  • Email address
  • Home address
  • Phone number

If you suspect that your personal data has been compromised in a personal data breach, you can contact the data controller directly. This is the organisation that decides what data to collect, how to store or use it, and why. They may be able to provide more information.

You can report a personal data breach to the ICO within three months of your last meaningful contact with the organisation in question. The ICO may then choose to open an investigation into the breach, but they cannot provide any form of compensation.

That’s where we can help. Get in touch with our advisors today to find out more about how we can help you claim compensation after suffering harm as a result of a personal data breach. 

How Long After A Data Breach Should The ICO Be Notified?

If a personal data breach occurs that could affect the rights and freedoms of the data subject, the organisation must notify the ICO within 72 hours. They must also contact the data subject without undue delay to inform them of the breach.

Personal data breach claims also have a time limit. If you wish to make a claim against a private company or organisation, the limit is usually six years. However, if you wish to make a claim against a public body, such as your local council, then the time limit is 1 year.

For more information on time limits and how they could affect your claim, talk with one of our advisors today.

Who Can Report A Data Breach To The ICO?

Anyone can make a complaint to the ICO if they believe an organisation has failed to handle their personal data in line with data protection law. As we mentioned earlier, you can make a complaint to the ICO within three months of your last meaningful contact with the organisation.

Data controllers and processors must asses whether the breach could affect the rights and freedoms of those involved. If it does, they must report it to the ICO within 72 hours, and must inform those involved without undue delay.

If you need any additional information on who can report a data breach to the ICO, then don’t hesitate to contact us. 

How To Notify The ICO Of A Data Protection Breach

If you believe that you have been a victim of a data breach, you should begin by contacting the company involved with the breach. This opens a direct line of communication between you and the organisation. It may also help to clarify any issues about the data breach. 

If you do not receive a meaningful reply, or if the response you receive is unsatisfactory, you can report the breach to the ICO through their website.

If you have suffered harm as a result of a personal data breach, you may be able to make a claim for compensation. Contact our team of advisors to learn more.

What Could I Claim After Reporting A Data Breach?

There are two types of damages you could pursue in a personal data breach claim: material damages, and non-material damages.

Material damages refer to the compensation you could receive as a result of suffering financial harm. For example, if your credit card details had been compromised in a personal data breach, this could lead to damage to your credit score, unauthorised withdrawals, and access to further bank accounts.

Non-material damages refer to the compensation you could receive following a psychological injury. Following the ruling of Gulati & Others v MGN Limited [2015], non-material damages can be awarded in line with the guidelines provided by the Judicial College Guidelines (JCG).

While the JCG has traditionally been used to help legal professionals value personal injury claims, such as accident at work and medical negligence claims, it can also be very helpful in providing guideline amounts for personal data breach claims. This is because it contains a list of psychological injuries.

Psychological InjuriesBrackets of CompensationNotes
Severe Anxiety - PTSD£59,860 to £100,670Permanent symptoms of PTSD with no prospect of employment.
Moderately Severe Anxiety - PTSD£23,150 to £59,860Some chance of improvement with professional help.
Moderate Anxiety - PTSD£8,180 to £23,150An almost full recovery, although there are some lingering effects.
Less Severe Anxiety - PTSD£3,950 to £8,180A large recovery, no grossly disabling effects continuing.
Severe Psychiatric Damage£54,830 to £115,730A large impact on the ability to work, attend education, and engage in social activities.
Moderately Severe Psychiatric Damage£19,070 to £54,830Similar to the above with a prognosis that is more optimistic.
Moderate Psychiatric Damage£5,860 to £19,070By the time of trial, the symptoms will have markedly improved.
Less Severe Psychiatric Damage£1,540 to £5,860Consideration given to length of disability and remaining phobias or sleep disturbance.

The Court of Appeals ruling in Vidal-Hall & Others v Google Inc. [2015] allows claimants to claim compensation for non-material damages, without having to claim for material damages alongside this.

For more information on compensation and how much you could receive, contact our team of advisors. They can provide a free estimate of what your claim could be worth.

Make A No Win No Fee Data Breach Claim

Our expert No Win No Fee solicitors provide their services through a Conditional Fee Agreement (CFA). Under a CFA, you will not pay any fees to your solicitor unless your case succeeds. In this case, your solicitor will take a legally-capped percentage from your final award. If your claim does not succeed, you do not pay this fee.

The help of an experienced solicitor can make the claims process feel less daunting. To find out how one of our personal data breach solicitors could help you, get in touch by:

Learn More About How The ICO Helps To Protect Data

To learn more about personal data breaches, we recommend you try our guides surrounding:

Or, for more helpful information:

Contact our advisors for more information on how to report a data breach to the ICO.