The prospect of having your personal information exposed in a data breach is a worrying one. The consequences of losing control of your data can be serious, ranging from identity fraud and financial losses to reputational damage.
Thankfully, there are a number of regulations in place to help protect your personal data. These regulations – including the UK General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018 – are designed to ensure that organisations safeguard your personal data properly.
The Information Commissioner’s Office (ICO) is responsible for ensuring these regulations are followed – and that companies who fail to do so are held accountable. The ICO can levy substantial fines against organisations that breach data protection regulations. However, they cannot provide compensation to those affected. Instead, victims will need to pursue a data breach claim.
In this blog, we’ll explain what the ICO does and how they can help you if your personal information has been exposed in a data breach. We’ll also look at how you can make a compensation claim following a data breach, and how an ICO investigation can impact your claim.
What is the ICO?
The ICO is the independent public body responsible for enforcing the UK’s data protection laws. It was first established in 1984 as the office of the Data Protection Registrar, launched to coincide with the UK’s first data protection regulation. It changed its name to the ICO in 2001 to indicate its broader responsibilities, including promoting transparency through the Freedom of Information Act.
Since the introduction of the GDPR in 2018, the role of the ICO has become even more prominent. The GDPR expanded the requirements organisations must meet when storing or processing personal data. It also increased the potential punishments for failing to do so. Under the GDPR, a company can be fined up to £17.5 million or 4% of their annual global turnover, whichever is higher.
As a result, the ICO has grabbed headlines in recent years for levying substantial fines against a range of major companies. This includes:
- A £20 million fine for British Airways after security failures exposed the data of more than 400,000 of their customers and staff.
- An £18.4 million fine for Marriott Hotels after they failed to protect the data of an astonishing 339 million guests. This exposed a wide range of sensitive data to cybercriminals including unencrypted passport numbers.
- A £12.7 million fine for TikTok, which the ICO said had illegally processed the data of 1.4million children under the age of 13.
As you can see from these examples, the ICO has significant powers to tackle data breaches. Companies that fail to protect their customers data can face serious financial penalties.
However, as the ICO themselves stress, they are not able to award compensation to those affected by data breaches. Read on below to find out how you can seek compensation through a data breach claim.
How to make a complaint to the ICO
If an organisation suffers a data breach that is likely to impact the rights or freedoms of individuals, they are required to report this to the ICO themselves.
In practice, this means that if the data breach could lead to financial losses, reputational damage or a loss of confidentiality, they need to let the ICO know. The ICO will then investigate the matter, and take any necessary action.
However, you can also make a complaint directly to the ICO if you have been affected by a data breach. This is particularly important if you feel the organisation responsible is not taking the data breach seriously enough. The ICO has an online service that makes it easy to submit a data protection complaint. However, they will expect you to have already complained directly to the organisation responsible.
Once a complaint has been received, the ICO will conduct an investigation if they think a breach may have occurred. In serious cases, this may ultimately lead to regulatory action being taken – but again, you will not receive any compensation.
Does the ICO need to investigate for me to be able to make a claim?
Given the scale and frequency of data breaches in our hyper-connected world, it’s virtually impossible for the ICO to investigate every incident. It also means that, if they do investigate, the process can take a long time.
However, you don’t need to wait on the outcome of the ICO investigation to seek compensation following a data breach. In fact, the ICO doesn’t need to investigate the data breach at all.
The GDPR gives you the right to seek compensation if you have experienced damages as result of a data breach. This right is not affected by the activities of the ICO. As such, you can make a compensation claim regardless of whether the ICO is currently investigating the incident, or even if they have not done so at all.
How do ICO investigations affect my data breach claim?
Though your right to seek compensation is not dependent on the ICO’s activities, an ICO investigation can be helpful in supporting your claim. In investigating the incident, the ICO may well uncover evidence that helps your case.
However, if the ICO investigation finds a breach of data protection laws has not occurred, this does not mean you cannot seek compensation. If you disagree with the findings of the ICO, it may still be possible for you to pursue the case.
How do I make a data breach claim?
As we’ve stressed above, the ICO cannot award you compensation and it is not necessary for them to investigate for you to make a claim.
According to the GDPR, you can seek compensation if a data protection breach has led to material or non-material damage:
- Material damages are financial losses. For instance, if the data breach led to fraudulent transactions from your bank account, or if reputational damage resulted in lost income.
- Non-material damages refers to the mental or emotional distress a data breach can cause. For instance, it may lead to anxiety issues or to a feeling of loss of control, which can be very upsetting.
If this describes your situation, then the next step is to get in touch with a solicitor with experience making data breach claims. They will be able to advise you whether you are entitled to compensation. If they think you are, they will be able to present your case in the strongest way possible, based on an up-to-date knowledge of the relevant regulations.
HNK Solicitors can support your data breach claim
Here at HNK Solicitors, we’ve helped many of our clients secure compensation following a data breach. Our specialist team of data breach solicitors have extensive, up-to-date knowledge of the relevant regulations. As a result, they’ve been able to ensure our clients get the compensation they deserve – just take a look at our case studies page to see some of our recent success stories.
If you’ve been the victim of a data breach and are considering making a data breach claim, we can help. We offer free, no-obligation consultation in which we will discuss your case and advise you on whether you may be entitled to compensation. If we think you are, we can offer to take up your claim on a no-win, no-fee basis. If you don’t receive compensation as a result of your data breach claim, you won’t pay us a penny.
To arrange your free consultation, call us on 0151 668 0809, or email us at email@example.com.