What do I need to do following a data breach?
Every organisation or individual is vulnerable to a data breach. New statistics from the latest IT Governance research indicate an 11% rise in reported security breaches from 1,120 in 2020 to 1,243 in 2021, translating to roughly 5.13 billion exposed records with sensitive content.
The unsettling possibility of your personal data being misappropriated can be overwhelming; nevertheless, it’s vital to understand that measures exist to limit the repercussions of the breach and restrict the spread of leaked sensitive data.
This article explains how you can form an effective contingency plan in response to a breach and sheds light on actions you can take if you suspect a personal data breach. From a misplaced email, or a stolen laptop to a hacked online account, asserting your legal rights to safeguard your data protection is essential.
Who Safeguards Your Personal Data?
In the UK, the duty to protect personal data privacy and uphold data rights in public interest lies with the Information Commissioner’s Office (ICO). The ICO is tasked with enforcing the Data Protection Act 2018, legislation dictating the treatment of personal data by organisations, businesses, and the government. This statute parallels the General Data Protection Regulation (GDPR) of the European Union, hence the similarities.
The ICO mandates that all entities handling your personal data comply with “data protection principles,” which ensure that the data stored and processed is:
- Executed in a lawful, fair, and transparent manner
- Deployed solely for expressed purposes
- Accurate
- Retained only for the necessary duration
- Safeguarded through adequate measures against unauthorised or illegal processing, loss, destruction, or damage
The ICO lays significant emphasis on securing personal data privacy, specifically data revealing an individual’s identity, such as:
- Race
- Ethnicity
- Political beliefs
- Religion
- Biometrics
- Union membership
- Sexual orientation
- Health
A data breach disclosing such sensitive information could trigger grave repercussions, including financial setbacks and emotional distress, likely warranting you to seek recompense for the data breach.
What is the Reporting Time Frame for Businesses after a Breach?
A data breach must be communicated to the ICO within 72 hours as per legal requirements. The ICO then launches a detailed investigation to uncover the leak’s origin and verify the fulfilment of legal duties by all parties. If the organisation housing your data is found negligent in adequately safeguarding it, leading to material damage or loss, you may have grounds to instigate legal proceedings.
Reporting the Breach
The data controller is obliged to report the breach on the ICO website within 72 hours of its discovery, irrespective of when it transpired. Any lapse in alerting the ICO could hamper the recovery of the misplaced personal data.
However, seeking advice from legal experts can facilitate a comprehensive investigation of the breach, safeguard your rights as a data subject, and provide a clear understanding of your rights should a data breach be confirmed. This improves your prospect of receiving compensation if the organisation managing your data is held accountable for the breach.
Documenting the Breach
Maintaining an exhaustive record of the incident will aid any victim in supplying credible evidence when pursuing compensation. These records can greatly enhance the argument that their data was mishandled and improperly preserved.
Upon receipt of the report, the ICO initiates an investigation. The controller must maintain a record detailing the breach’s circumstances, including a timeline, involved individuals, event sequence, and corrective actions taken in response to the breach.
Containing the Breach
A comprehensive understanding of the incident enables the ICO to respond swiftly and effectively. This is crucial, as understanding what transpired with your leaked data can assist in containing its dissemination.
The culpable organisation should work to retrieve the data on their end as promptly as possible. The data controller is expected to enforce robust measures to safeguard those potentially exposed to future breaches.
Depending on the breach’s nature, the organisation managing your data may adopt practical measures to alleviate any damage. For instance:
- If critical data was inadvertently disclosed, the organisation can demand its deletion or secure retrieval.
- The controller could trace back to locate the breach origin and rectify any security or operational issues leading to the infringement.
- If a digital asset is stolen and its data can be remotely erased, the organisation should action this promptly to limit the risk of sensitive information falling into the wrong hands.
Understanding Your Legal Rights
If you suspect misuse of your data or inadequate security, you should alert the concerned organisation for them to implement corrective measures. If you find their response inadequate or believe more action is required to address the breach, you should inform the ICO.
If an organisation infringes upon data privacy regulations causing you harm, you are entitled to file a data breach compensation claim under the Data Protection Act 2018.
Can I Claim Compensation for a Data Breach?
In the event of a sensitive data breach, the organisation responsible for data control can be held accountable and compelled to pay compensation. This typically encompasses situations where previously non-public private data, like confidential financial or medical information, has been exposed. In such circumstances, consulting a legal expert specialising in data breaches can help evaluate if you have a viable case for a data breach claim.
As noted, the ICO can probe a data breach and try to ascertain legal culpability. A favourable ICO ruling indicating the other party’s misuse of an individual’s data would substantially bolster their compensation claim, although this could be a lengthy process.
If you have incurred tangible losses or emotional distress due to a data breach, you can file a claim against an organisation – you are not obliged to approach the ICO or wait for the conclusion of its investigation. You can directly proceed with the liable party, as they are responsible for paying compensation, not the ICO.
However, organisations might attempt to downplay their data security obligations or conceal the breach’s full extent. Therefore, securing legal counsel from specialists in data breach claims can ensure that your legal rights are protected and your claim is thoroughly investigated.