What happens when your data is breached?

When your data is breached and the body holding your personal data becomes aware of it, it has legal obligations to act.

It must assess the seriousness of the breach and the potential consequences.  Sometimes a breach may affect more than one person but depending on the circumstances, an organisation may not need to notify the individuals. Likewise, a data breach may affect just one person but the information could be so important that the company must notify that person as soon as possible. Where there is a substantial risk to your data and privacy rights it must:

  • notify the ICO about the nature, extent and possible consequences of the breach
  • state what measures it has taken, or intends to take, to rectify the breach
  • promptly and in writing notify the people potentially affected explaining what happened and their rights.

The ICO will consider the breach and may investigate and fine the organisation. If the organisation does not notify the ICO or individuals affected by the breach then those individuals can report the breach to the ICO themselves. In fact, we would always advise our clients to report a breach to the ICO before proceeding with a compensation claim. This is because the ICO will provide a report of its findings in relation to the breach and this can be used to support your claim.

Read more here about what to do if you have recieved a notification from an organisation confirming that your data has been breached.