More and more organisations now hold a greater amount of information about us. This could include data such as:
Personal data breaches you most often hear about are those where an unauthorised third party, such as a hacker, has gained access. Another data protection breach example is when technology containing personal data is lost or stolen.
But it's also a personal data breach when companies send your personal data to someone else without your consent, or when your data is altered without your permission.
If you become aware that an organisation has lost your personal data as a result of a breach, there are steps you can take to protect yourself and, in some cases, claim compensation.
If a company has lost your personal data as a result of a data breach, the company has data protection procedures it must take.
If there is a serious breach of your personal data which is likely to result in a high risk to your rights and freedoms, in most circumstances the company is obligated by the to tell you without undue delay.
The organisation has to establish the likelihood and severity of the risk to your freedom and personal data rights following a breach.
The company should explain to you:
If your data has been lost and you use the same or similar login information - such as passwords and usernames - for other websites or online accounts, you should change those details immediately.
You may want to keep a close eye on your bank accounts and other online accounts over the next few months, particularly if you think the breach involved any financial details or details that a scammer could use to commit .
If you see anything unusual, contact your bank immediately and explain that you've been the victim of fraud.
It's also important to check your credit report with the three main credit agencies - Call Credit, Experian and Equifax - to ensure credit isn't taken out in your name.
If you find that any of the above has happened, you should also contact Action Fraud as soon as possible.
If you're contacted by anyone over the phone asking you for personal details or passwords (such as for your bank account), take steps to check their true identity.
Ask them to give you details that only that company they claim to be calling from would know. For example, details of your service contract or how much you pay per month.
If you still have concerns about the caller's identity, you should hang up and call the company back.
If possible use a different telephone to check the validity of the phone call.
Bear in mind that scammers may have access to more of your personal information than seems normal. So if you are at all suspicious hang up the phone, look up the organisation's number and call it yourself.
Organisations are bound by the Data Protection Act 2018 (GDPR) to keep your data secure.
This means that they must take measures to prevent unauthorised or unlawful processing of your personal data.
They must also protect against accidental loss or destruction of, or damage to, your personal data.
If your data is lost and it causes you financial damage or distress, you may be able to make a claim for compensation from the organisation that lost it.
If you’ve suffered distress or financial loss as a result of your data being compromised, the first thing you must do is contact the organisation that you believe is responsible.
Outline what distress and/or losses you’ve suffered, and how you expect it to compensate you. It's important to note that you can now make a claim relating to distress alone - you do not need to have also suffered financial loss.
You can also take your concerns with how the organisation processed your data to the Information Commissioner’s Office (ICO).
By law, the ICO can't award compensation or give advice on the level of compensation that should be due, even when it has said that in its view the organisation did indeed breach the GDPR. But its opinion can be influential in making your claim against the organisation that has compromised your data.
If you can't agree with the organisation that compromised your data on the fact that you are due compensation, or on the level of compensation, you can make a claim via the small claims court.
A good piece of evidence to to take to court is if the ICO agreed with you that the GDPR was indeed breached