My personal data has been involved in a breach, what can I do next?
–– 17 Mar 2019
In this guide we’ll explain what a data breach is, what a company must do, what rights you have and what steps you can take to protect yourself and your personal data.
What sort of data can organisations hold about me? 🤔
Modern technologies mean organisations are able to hold a greater amount of information about us. Below are a few examples of what data they may hold (this is the tip of iceberg – believe me!):
- your name
- your address
- your date of birth
- your email address
- your telephone numbers
- your credit card details
- your bank details
- your password(s)
- your location(s)
- your purchase(s)
- your email(s)
Wait! Hang on, how do I even know if an organisation has my data in the first place? Find out in our consumer guide on how to find out if an organisation has your personal data.
We’ve also got a free app that helps you find out if an organisation holds your personal data, learn more.
What is a personal data breach? 🔐
A personal data breach is when personal data protected under General Data Protection Regulation (GDPR) is accidentally or deliberately destroyed, lost, altered, disclosed or accessed as a result of a security incident.
Most commonly it is when a security incident happens and it affects the confidentiality, integrity or availability of your personal data.
Most personal data breaches are those where a hacker has gained access. Another possible breach is when technology containing personal data is lost or stolen.
But it’s also a personal data breach when companies send your personal data to someone else without your consent, or when your data is altered without your permission.
If you become aware that an organisation has lost your personal data as a result of a breach, there are steps you can take to protect yourself.
What must a company do when there’s a data breach? 🔓
If an organisation has lost your personal data as a result of a breach, the organisation must follow what’s called data protection procedures, or steps it must take following the breach.
If the data breach is serious, and poses a high risk to individuals, in most cases the organisation must under GDPR tell you without undue delay.
The organisation should explain to you the below things (generally we see these sent via email):
- the name and contact details of its data protection officer (DPO) or other contact that can provide more information
- a description of the personal data breach
- a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, the measures taken to mitigate any possible adverse effects.
What are the next steps you can do to protect yourself…
Change your usernames and passwords ✍️
If your data has been lost and you use the same or similar login information – such as passwords and usernames – for other websites or online accounts, you should change those details immediately. Be sure to change your details in your password managers such as 1Password or Dashlane.
Keep an eye on your bank accounts and credit report 👩💻👨💻
Keep a close eye on your bank accounts and other online accounts over the next few months.
If you see anything unusual, contact your bank immediately and explain that you’ve been the victim of fraud.
If you’re not happy with the way your bank deals with your complaint, you can refer it to the Financial Ombudsman Service (FOS).
Check your credit report to ensure credit isn’t taken out in your name.
If you find that any of the above has happened, you should also contact Action Fraud as soon as possible.
Action Fraud is the UK’s national fraud and internet crime reporting centre and it can be reached on 0300 123 2040 or via the Action Fraud website.
Be aware of scams ⚠️
If you are contacted by anyone asking you for personal details or passwords (such as for your bank account), take steps to check who they really are.
Ask them to give you details that only that company they claim to be calling from would know. For example, details of your service contract, company house details, or how much you pay per month.
If you still have concerns about the caller’s identity, you should hang up and call the company back.
Bear in mind that scammers may have access to more of your personal information than seems normal. So if you are at all suspicious hang up the phone, look up the organisation’s number and call it yourself.
How to complain and claim compensation 💰
Organisations are bound by the GDPR to keep your data secure.
This means that they must take measures to prevent unauthorised or unlawful processing of your personal data.
They must also protect against accidental loss or destruction of, or damage to, your personal data.
If your data is lost and it causes you financial damage or distress, you may be able to make a claim for compensation from the organisation that lost it.
1. Complain to the company that lost your data 📞
If you’ve received financial difficulties or suffered distress when your personal data had been compromised, you should contact the organisation that you believe is responsible.
Let them know what distress and/or losses you’ve suffered, and how you expect it to compensate you.
2. Complain to the ICO 🗣
You can also take your concerns with how the organisation processed your data to the Information Commissioner’s Office (ICO).
By law, the ICO can’t award compensation or give advice on the level of compensation that should be due, even when it has said that in its view the organisation did indeed breach the GDPR. But its opinion can be influential in making your claim against the organisation that has compromised your data.
3. Go to the small claims court 👨⚖️👩⚖️
If you can’t agree with the organisation that lost your personal data, or on the amount of compensation, there are instances you can make a claim via the small claims court.
If the ICO agree with you that it was a breach that may be good enough evidence to take it to the small claims court.
We hope you’ve found this guide useful. If you have further questions, or need further advice get in touch firstname.lastname@example.org. 🙂