How Long Do I Have To Report A Data Breach? – Personal Data Breaches Explained

Being notified that your data has been involved in a personal data breach can be worrying. Whilst the organisation that suffered the data breach should have reported the incident to the Information Commissioners’ Office (ICO) within 72 hours of it occurring (if it can affect your rights and freedoms), you can still do so yourself. The ICO is an independent body that upholds data rights. In this guide, we answer a frequently asked question about personal data breach claims, how long do you have to report a data breach?

In addition to looking at data breach reporting, this guide also looks at whether a business needs to report the breach to the ICO, and how customers may find out they have been affected. Following this, we look at eligibility criteria and at how to claim with a data protection solicitor.

If your data has been involved in a personal data breach, you may be able to claim compensation. A member of our panel of data breach solicitors could help you. Please get in touch with us for more information.

  • Phone 020 3870 4868 to speak to an advisor.
  • Complete our form to claim online.
  • Speak to a member of our team via our live support chat.

A hacker causes a data security incident.

Browse Our Guide

How Long Do I Have To Report A Data Breach?

Any organisation, business or individual holding or processing your personal data must comply with relevant legislation. They should adhere to both the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (UK GDPR). These state how personal data collected from a data subject should be secured and protected.

A personal data breach is the accidental or unlawful destruction, loss, alteration, unauthorised access to or unauthorised disclosure of a data subject’s personal data. Personal data is data or information which may be used to identify you. Personal data includes items such as your name, your postal or email addresses and phone number.

Examples of how it could be breached may include, personal data being sent to the wrong email address, personal data being sent to the wrong postal address or a misdirected fax.

If you believe your personal data has been affected by a breach, you can report this. There are time limits in which you may do so. If you believe an organisation breached your personal data you must notify them of this. They then have one calendar month in which to respond.

If they do not respond, or you are not satisfied with their response, affected individuals can then report a UK GDPR breach to the ICO. The ICO will expect that you reported the breach to the organisation, have followed up with them, and asked for any clarification.

You may make a complaint to the ICO within three months of your last meaningful contact with the organisation.

Please get in touch with us to learn more about how long to report a data breach you have.

Does A Business Need To Report A Data Breach To The ICO?

Organisations affected by data breaches must notify the ICO of a reportable breach within 72 hours of awareness. The organisation will need to establish the likelihood of a risk to the rights and freedoms of the data subjects involved. If a risk it likey, the breach is reportable.

If there is not likely to be a risk, it does not have to be reported. If an organisation decides not to report the breach, they may need to justify why they did not do so.

Please contact us for more information on how long to report a data breach an organisation has.

A person pointing to a key on a keyboard that has 'data breaches and reporting' written on it.

How Will I Know If I’ve Been Involved In A Data Breach?

Data subjects must be informed, without undue delay, about personal data breaches if said breach has a high risk to their freedoms and rights. Where there is a high risk, the requirement to inform the data subject is greater than to notify the ICO. Though, both must be notified.

The party in control of the data should assess the impact on data subjects and how severe this is. Data subjects should be informed of personal data breaches so that they may take steps to mitigate or protect themselves.

Where individuals are not notified, the ICO should still be, unless it can be demonstrated that the breach is not likely to lead to a risk to freedoms and rights. Where there is a higher risk, the ICO could compel the organisation to inform individuals of this.

The information which must be provided includes:

  • Contact details for the organisation’s data protection officer or another relevant contact within the organisation.
  • A description of what consequences may be likely due to the breach.
  • Details of measures which have been proposed or taken to deal with the breach.

Find out what you can do if your data has been breached by contacting our team today.

How Do I Know If I Can Claim Compensation For A Data Breach?

Having looked at when and how to report a data breach, we look at how affected individuals could claim compensation. In order to get compensation for a data breach, you must show that you meet the eligibility criteria.

As already highlighted in this guide, parties who control or process your data must comply with relevant legislation. The data controller decides how your data should be used and directs a data processor in doing so (if they don’t process the personal data themselves).

To make a personal data breach claim, you will need to show that:

  • Either the data processor or data controller has failed to comply with data protection legislation, leading to a breach of personal data.
  • Your personal data has been affected by this. You may have received a data breach notification informing you of this.
  • You were harmed by this breach, such as by suffering a financial loss or damage to your mental health.

Please contact our team if you have received a data breach notice letter informing you your data has been impacted.

Contact Us For Free To See How Long You Have To Report A Data Breach

If you have been impacted by a personal data breach and meet the eligibility criteria set out above, you could claim compensation. Whilst you do not have to work with a personal data breach solicitor, there are benefits to doing so.

A specialist solicitor could help you to collect evidence and to build your case. They will be able to bring experience and expertise, giving you the best possible chance of securing damages. If you choose to claim with a solicitor, our advisors are on hand to connect you to one of the specialist data breach solicitors from our panel if your claim seems valid.

A No Win No Fee data protection solicitor from our panel could help you claim through a Conditional Fee Agreement (CFA). By using this type of agreement, a  solicitor can help your case for a personal data breach without charging for their services until you are awarded damages. There are no upfront payments and nothing to pay for their work if your case is not successful.

If you are awarded damages, your solicitor will take a success fee from the compensation. The fee is agreed upon in your CFA and there is a cap by law on the percentage which may be charged.

Get in touch with our team today.

Find out how long Do I have to report a data breach with a solicitor.

Learn More About Making A Data Breach Claim

In this part of our guide you can find additional information and resources related to personal data breach claims.

References

Thank you for reading our guide. We hope you now know how long to report a personal data breach you and a company have. Get the answers to further questions about personal data breach compensation claims by contacting our team.