Your Data Breach Rights 

Under the Data Protection Law, individuals who have suffered as a result of a data breach have the right, by law, to claim for compensation. If you have experienced a personal data breach, you may be able to claim compensation for cases where you have suffered financial loss or experienced distress as a result of the data breach incident.

As well as having a right to compensation, the Data Protection Act 2018 and the General Data Protection Regulation (GDPR) also lay out several rights that you, the consumer, has when it comes to data collection.

Data breaches can happen in multiple ways including:

  • accidental data breaches caused by human or software error
  • malicious internal data breaches conducted by an insider
  • malicious external data breaches conducted by an outsider or hacker
  • loss or misplacement of physical files containing personal data information

Therefore, it is important that you regularly check whether your data has been breached and report any concerns about a potential data breach as soon as you are aware that it may have occurred.

GDPR outlines several individual rights to protect your data.

According to GDPR, your data protection rights are:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

We will explain some of these data protection rights in further detail below so that you can ensure you have a deeper understanding of your personal data rights.

Your right to be informed

The Data Protection Law ensures organisations have a duty to protect your data. Under this law, if an organisation holding your personal and credit card details has a security breach, they must inform you promptly.

When informed of a data breach, you will be advised to take protective personal measures such as:

  • changing your passwords and user details for other online accounts and websites.
  • contacting your bank or credit card provider to cancel the card and notify of the risk.
  • keeping an eye on all credit, financial and online accounts in case of identity fraud.

If you have been informed that a company has failed to protect your data, you may then have a right to claim compensation for any financial loss or distress caused by the data breach.

Your right of access

You have the right to inquire of any organisation what personal data it holds on you and how it is used by making a Subject Access Request free of charge.

You may have the right to have the data erased, corrected or prohibited from certain use such as sharing. There have been several high profile cases in the media since the new data protection laws were implemented about ‘The right to be forgotten’. Since 2014 individuals have been able to request links which they claim are inaccurate, inadequate, irrelevant or excessive to be removed from search engine results.

In the case NT1 and NT2 v Google LLC (2018), the court considered whether Google should be required to remove links to articles about the spent convictions of two businessmen. In the case of businessman 1 (NT1) the court ruled that Google was not required to remove the link to the spent conviction for several reasons; NT1 had been convicted for serious dishonesty; he had shown no remorse; he had published misleading social media postings about his integrity; and the people with whom he did business had a legitimate interest in knowing about his previous convictions.

In contrast, Google were required to remove the link to businessman 2 (NT2)’s spent convictions because; he had pleaded guilty to his crime (which was not an offence of dishonesty); he had shown remorse; he was now practicing in a new area of business which was not relevant to his conviction; and he provided credible detail about the prejudice the link caused to his business reputation.

Contact our team to find out how you can find out about your personal data is being held by an organisation.

Your right to erasure

In today’s digital age, it is possible that there are references to you on the internet that are negative and that you would like to have removed. It may be possible to do this. The right to be forgotten falls under Article 17 of the GDPR and is a way of removing access to negative material on the internet through search engines. You can make a submission to Google and other search engines giving the reasons why the data should be erased on named website URLs.

Most search engines provide an online step by step form for you to complete. Many small search engines are owned by the main ones (Google, Bing. Yahoo) together with social media such as Facebook, Twitter, Instagram and YouTube. Here is a helpful guide to help you enforce the right to be forgotten:,news-18871.html

Further help is found on the ICO website.

Obviously you should tailor the reasons to your own case. Common reasons for the right to be forgotten include the fact that the publication is old, disproportionate and has no ‘public interest’ value. But it is a source of continuing distress to you and an invasion of your privacy!

If Google or other search engines refuse, you can refer the matter to the ICO. They will make a recommendation and, if you are successful, provide a directive to the search engine to comply with your request

Any refusal can be challenged legally and this may, depending on the facts, give rise to CFA legal representation.  However, the initial submission and ICO complaint would not be covered by free legal representation, so that if you would prefer to have legal representation to make the application, it would necessarily incur reasonable fees. Get in touch with our team to find out more about enforcing you right to be forgotten.

Your right to compensation

Along with the aforementioned data protection rights, you also have a right to compensation if a data breach occurs.

The Data Protection Act 2018 gave effect to the EU wide General Data Protection Regulation (GDPR). This simply means it is enshrined in UK law regardless of Brexit and leaving the EU. This has increased your rights to be compensated when organisations do not comply with these laws.

The new law has significantly affected the responsibilities of public and private organisations holding your personal data. Including the terms of how they use, store and share it to ensure that this is in line with the law. Apart from some exceptions defined by law, your data may be used only with your express consent.

Security is therefore a paramount obligation for organisations to make sure your personal data is not misused, leaked or stolen. Data controllers (any organisation that holds your data) must register with the Information Commissioner’s Office, the official data protection and privacy watchdog.

In a world governed by electronic data and the internet, the threat to personal data has increased.

Organisations are now required to comply with the law in controlling and processing your data. Furthermore, where serious data breaches occur both the Information Commissioner’s Office (ICO) and any individuals affected must be promptly notified.

For some organisations and depending on the nature and extent of the breach, this can result in a fine by the ICO of up to £18 million or 4 per cent of turnover (whichever is greater).

For individuals whose data is affected, they may have a right to financial compensation. The ICO itself cannot award compensation for data breach but DRM Legal is here to help you claim the compensation that you deserve. Read more about how to claim here or fill out our quick and easy claim form to see if you have got a claim.


Our dedicated team is here to assist you with any questions you may have regarding personal data breaches. Please feel free to contact us via any of the below methods or, if you would like to know whether you are eligible to make a claim, please complete our claim enquiry form.