By Stephen Burke. Last Updated 18th October 2024. If your personal data has been compromised in a personal data breach, you may be wondering how to report a data breach to the ICO. The Information Commissioner’s Office (ICO) is the UK’s independent body set up to uphold information rights and tasked with upholding data protection law and standards in the UK.
This guide will explain how and when you should report a personal data breach to the ICO, along with explaining who is eligible to make a personal data breach claim. We will also look at the time limits connected with making a personal data breach claim, and how one of our experienced personal data breach solicitors could help you.
When a data controller or data processor fails to safeguard your personal data, this can cause considerable financial and mental harm. If you have suffered financial harm or a psychological injury as a result of a personal data breach, you may be able to make a claim.
To start your claim, contact our advisors today by:
- Calling us on 0800 073 8801
- Contact us online
- Use the Live Chat feature
Select A Section
- When To Report A Data Breach To The ICO
- How Long After A Data Breach Should The ICO Be Notified?
- Who Can Report A Data Breach To The ICO?
- How To Notify The ICO Of A Data Protection Breach
- What Could I Claim After A Data Breach?
- Make A No Win No Fee Data Breach Claim
When To Report A Data Breach To The ICO?
The UK General Data Protection Regulation (UK GDPR) plus the Data Protection Act 2018 (DPA) are the two leading pieces of legislation protecting personal data in the UK. If an organisation fails to adequately protect your personal data, and you suffer harm as a result, you may be eligible to make a claim.
A personal data breach refers to a security incident that alters the security, integrity, or availability of your personal data. For example, if your personal data is shared with an unauthorised party, or a device or folder containing documents that hold personal data are lost. There are six lawful bases for the processing of personal data, including consent.
Personal data refers to any data that could identify you, including your:
- Name
- Date of birth
- Email address
- Home address
- Phone number
If you suspect that your personal data has been compromised in a personal data breach, you can contact the data controller directly. This is the organisation that decides what data to collect, how to store or use it, and why. They may be able to provide more information.
You can report a personal data breach to the ICO within three months of your last meaningful contact with the organisation in question. The ICO may then choose to open an investigation into the breach, but they cannot provide any form of compensation.
That’s where we can help. Get in touch with our advisors to find out more about how we can help you claim compensation after suffering harm due to the consequences of a personal data breach.
How Long After A Data Breach Should The ICO Be Notified?
If a personal data breach occurs that could affect the rights and freedoms of the data subject, the organisation must notify the ICO within 72 hours. They must also contact the data subject without undue delay to inform them of the breach.
Personal data breach claims also have a time limit. If you wish to make a claim against a private organisation, the limit is usually six years. However, if you wish to make a claim against a public body, such as your local council, then there’s a 1 year time limit.
Talk with one of our advisors today to learn more about time limits.
Who Can Report A Data Breach To The ICO?
Anyone can make a complaint to the ICO if they believe an organisation has failed to handle their personal data in line with data protection law. As we mentioned earlier, you can make a complaint to the ICO within three months of your last meaningful contact with the organisation.
Data controllers and processors must asses whether the breach could affect the rights and freedoms of those involved. If it does, they must report it to the ICO within 72 hours, and must inform those involved without undue delay.
If you need any additional information on who can report a data breach to the ICO, then don’t hesitate to contact us.
How To Notify The ICO Of A Data Protection Breach
If you believe that you have been a victim of a data breach, you should begin by contacting the organisation or business involved with the breach. This opens a direct line of communication between you and the organisation. It may also help to clarify any issues about the data breach.
If you do not receive a meaningful reply, or if the response you receive is unsatisfactory, you can report the breach to the ICO through their website.
If you’ve been harmed as a result of a personal data breach, you may be able to make a claim for compensation. Contact our advisors to learn more.
What Could I Claim After Reporting A Data Breach?
If you report a data breach to the ICO, this could mean they will investigate the matter. However, the ICO does not award compensation to data subjects. So, regardless of whether you report the organisation to the ICO or not, you can still pursue data breach compensation. If your claim succeeds, you will be compensated for two types of damage. Firstly, you could be awarded compensation for non-material damage, which is the impact on your mental health, such as causing you distress or anxiety.
Secondly, you could be awarded compensation for material damage, which is any financial harm you have suffered due to the data breach. This can include things like lost earnings for time away from work while your health recovers or funds to cover therapy fees.
Those who assess the value of compensation for non-material damage in a claim may check the Judicial College Guidelines (JCG). This document includes compensation amounts for different kinds of psychological injuries. For guidance on possible payouts for non-material damage, you can view the table below, which includes several figures from the JCG. Please note that the first entry is an estimated figure that’s not taken from the JCG.
Compensation Table
| Psychological Injuries | Compensation Figure | Notes |
|---|---|---|
| Severe Psychological Harm And Financial Losses | Up to £250,000+ | A compensation payout may be given if you're eligible to claim for psychological harm considered severe plus related financial losses, such as money stolen from a bank account. |
| Severe Psychiatric Damage | £66,920 to £141,240 | A large impact on the ability to work, attend education, and engage in social activities. |
| Moderately Severe Psychiatric Damage | £23,270 to £66,920 | Similar to the above with a prognosis that is more optimistic. |
| Moderate Psychiatric Damage | £7,150 to £23,270 | By the time of trial, the symptoms will have markedly improved. |
| Less Severe Psychiatric Damage | £1,880 to £7,150 | Consideration given to length of disability and remaining phobias or sleep disturbance. |
| Severe PTSD | £73,050 to £122,850 | Permanent symptoms of PTSD with no prospect of employment. |
| Moderately Severe PTSD | £28,250 to £73,050 | Some chance of improvement with professional help. |
| Moderate PTSD | £9,980 to £28,250 | An almost full recovery, although there are some lingering effects. |
| Less Severe PTSD | £4,820 to £9,980 | A large recovery, no grossly disabling effects continuing. |
For more information on how much data breach compensation you could receive, contact our advisors today. Our team can assess the potential value of your case and ask other relevant questions you may have, such as “How do you report a data breach to the ICO?”
Make A No Win No Fee Data Breach Claim
If you’re eligible to claim compensation for a personal data breach reported to the ICO, or one that has not been reported, one of our solicitors could help.
Furthermore, they may offer to work on your case under the terms of what’s called a Conditional Fee Agreement (CFA). It means you would not be expected to make payments to your solicitor upfront or to make any ongoing for their service. You will also not need to pay them for the work they’ve delivered should your claim fail.
Alternatively, your solicitor will take a success fee from you should they succeed with the data breach claim. This will be a legally capped and small percentage that is deducted from the compensation given to you.
To learn whether one of the No Win No Fee solicitors on our team could take on your case, speak to our advisors. They could check your eligibility free of charge and connect you with a solicitor who could help you get the compensation you deserve.
- Call today on 0800 073 8801
- Contact us online
- Live Chat with an advisor
Other Resources Regarding How The ICO Helps To Protect Data
To find out more about personal data breaches, we recommend you try our guides surrounding:
- Data breach compensation
- Distress following a data breach
- What to do following an employer data breach?
- How to deal with a medical data breach?
- How to claim after a school data breach?
For those seeking more external resources that can help:
- ICO – Inform the organisation about a breach
- ICO – Make a complaint
- ICO – How to reduce the potential risk of a personal data breach taking place
Contact our advisors for more information on how to report a data breach to the ICO.
