What happens if data protection is breached?
Data protection is an incredibly serious matter. Any organisation that stores and handles personal data has a range of very strict guidelines that they must follow in order to keep the data secure, and to ensure it is not misused in any way.
Unfortunately, data protection breaches are a routine occurrence. Whether it is due to inadequate security measures or straightforward negligence, the consequences of data protection breaches are likely to be wide-reaching for all parties concerned.
In this article, we will explore:
- What is the Data Protection Act?
- What is GDPR?
- How can data protection be breached?
- What happens if a company breaches the Data Protection Act?
- How long does an organisation have to report a Data Protection Act breach?
- What can victims of a Data Protection Act breach do?
- How Hayes Connor can help with data protection breaches
- What other steps should you take if an organisation breaches the Data Protection Act?
What is the Data Protection Act?
The Data Protection Act 2018 (DPA) essentially sets out the framework for data protection laws in the UK. It was brought into effect to replace the previous Data Protection Act 1998.
Due to the UK’s exit from the European Union, it was amended at the start of 2021 to reflect this new status.
The DPA 2018 is separated into separate parts which all apply in different situations and perform certain functions – this includes UK GDPR.
What is GDPR?
GDPR stands for General Data Protection Regulation. Companies operating in the UK are governed by UK GDPR, which came into effect at the start of 2021.
UK GDPR defines the key principles, rights and obligations for the storage and processing of personal data in the UK – excluding law enforcement and intelligence agencies.
The terms of UK GDPR set out seven key principles which dictate how organisations should process personal data. These are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
For organisations to be fully compliant with UK GDPR, they are obligated to strictly follow these provisions. Failing to do so could lead to a data protection breach, which could result in serious consequences, both for the organisation, and any innocent individuals whose data is compromised.
It should also be noted that UK GDPR is based on the EU GDPR. EU GDPR previously applied in the UK and some companies may be required to comply with both if they offer goods and/or services to individuals in Europe.
The EU GDPR is regulated separately by European supervisory authorities, which means organisations will have a range of specific EU obligations.
How can data protection be breached?
According to UK GDPR, personal data breaches are any type of incident where a breach of security results in “the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
This is likely to happen in one of two ways. It could be the result of a simple human error, such as an email being sent to the wrong person, or an attachment to an email being incorrect, or a deliberate action from a third-party, such as a cyber-gang initiating a ransomware attack.
Even where an organisation is subject to an attack, and were not the direct cause of data being compromised, they will still be considered responsible and are likely to face a range of potential punishments. This is because they are considered to be responsible for ensuring that their data protection policies are up to date and their security measures are robust.
What happens if a company breaches the Data Protection Act?
If a company or organisation breaches the Data Protection Act, there are strict processes in place with regards to how they report the issue.
Where GDPR has been breached, the responsible party must notify any individuals who have been affected where there is high risk to their rights and freedoms. The following needs to be explained when an organisation reports a data protection breach:
- The contact details of data protection officers who can be contacted
- A description of the data breach and any consequences
- A description of any measures that have been taken/are being undertaken to address the data breach and mitigate further incidents
- Advice on steps that can be taken for individuals to stay protected
Following a data protection breach, the responsible party will usually be required to report the incident to the Information Commissioner’s Office (ICO).
The ICO have the power to conduct an investigation and can implement Data Protection Act breach penalties. For a Data Protection Act breach, the penalty can include a fine set at a maximum of £11.7 million, or 4% of annual global turnover – whichever is greater.
Individuals who were affected by the breach of the Data Protection Act may also be in a position to claim compensation. This is not something the ICO can help with, but is instead done on an individual basis.
How long does an organisation have to report a Data Protection Act breach?
If an organisation is responsible for a breach of the Data Protection Act, they must report it to the ICO ‘as soon as possible’. The ICO recommends that a report should be filed no later than 72 hours after the incident is first brought to light. If it takes longer to file a report, the business must provide an adequate explanation.
Any failure to provide a prompt notification of a Data Protection breach under GDPR could lead to the ICO or other relevant authorities responding with additional fines or penalties.
How do I know if a company has breached the Data Protection Act?
If you have reason to believe that an organisation has breached the Data Protection Act, and you have been affected as a result, there are a number of ways you can find out for certain.
As discussed above, any organisation that breaches the Data Protection Act is required to inform you when your data is exposed. Typically, this will be in the form of a letter or email.
That being said, it is often the case that an organisation fails to provide proper notification, or a letter or email can be easily missed.
You may learn about a breach of the Data Protection Act via a report from the ICO, or you can conduct your own research by scanning online to see if your email address has been compromised.
If you are still unsure whether you are the victim of a Data Protection Act breach, you can speak to a specialist data breach solicitor to discuss your circumstances and what steps you should take.
What can victims of a Data Protection Act breach do?
Victims of a data breach may be able to make a claim for data breach compensation. This can be used to help account for any direct financial losses that have been caused by the data breach, as well as the general distress caused.
Even where a breach of the Data Protection Act has not led to any immediate financial losses, the situation is still likely to be incredibly stressful and can have a substantial impact on someone’s physical and mental health.
If someone learns that they are the victim of a data breach, they should also take various other measures to mitigate the risk of their data being misused any further. This includes:
- Contacting a bank and/or credit card provider - A bank can cancel any cards that have been affected by a breach and reverse any fraudulent transactions.
- Changing passwords – Login details should be changed for both the account that has been affected, and any others which share the same password.
- Be wary of phishing attacks - Phishing attacks may be launched in an attempt to extract further sensitive data.
- Report the incident – An incident can be filed with Action Fraud and the ICO. Investigations from these authorities can prove useful when making a claim for compensation.
- Speak to a data breach claims solicitor – Where data has been breached, it is strongly advised that affected individuals speak to a data breach claims specialist at the earliest opportunity.
How Hayes Connor can help with data protection breaches
If you have been notified that your personal data has been compromised following a breach of the Data Protection Act, our data breach solicitors may be able to support you in making a claim for compensation.
At Hayes Connor, we have one of the largest teams of data breach specialists in the country. We have a wealth of combined experience and expertise in handling a wide range of data breach claims, meaning we will be able to advise you on whether you will have grounds to make a claim, the level of compensation you might receive and how the process will work.
We want to ensure that anyone affected by a data breach is able to access the compensation they deserve, while also making the claims process as straightforward as possible.
To start a claim, you can use our online claim form and we will get back to you shortly to let you know if we believe you have grounds for compensation.
If you would like to speak to a member of our team, please do not hesitate to give us a call on 0330 041 5135.