Book a free consultation

Data Breach: What Are My Rights

In this article, Ruby Keeler-Williams of Elysium Law considers the consequences of a personal data breach and what rights you have. The article briefly looks at the legislation and considers quantum and case law.

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 set out rules as to how data is collected, used, stored, and protected.

Under the legislation, any organisation which holds and determines the purpose of the processing of personal data must implement appropriate technical and organisational measures to ensure that the processing of personal data complies with the rules.

A breach of personal data can occur if appropriate measures are not in place. A breach of security may lead to the destruction, loss or unauthorised access to personal data.

This infringes your rights as an individual and can have serious consequences. We have been instructed on matters where a breach in the security of a company led to the unauthorised disclosure of employee identity documents and bank details. These details were then distributed to criminal groups and companies were fraudulently set up in the employees’ names.

If a company that holds your data processes it in breach of the legislation or holds your data in such a way that it is disclosed in an unauthorised way, whether accidentally or deliberately, then you are entitled to claim for compensation.

If your claim is successful, you will receive damages, also known as compensation. You will be able to claim for any identifiable losses which have arisen from fraudulent transactions caused by identity theft. You will also be able to make a claim for general damages if the breach in your data has caused you distress. We will discuss your case at length and identify which damages are relevant to your specific matter.

Your level of compensation will depend on the nature of the data breached. If the data breached does not contain sensitive information (such as name alone) and/or is quickly remedied, then whilst you have a right to claim, in reality the claim will be worth very little and may not be worth pursuing. It is for this reason why you should seek legal advice at the earliest possible opportunity.

Decisions in recent years illustrate that the High Court will not condone claims that are exaggerated and unnecessarily complex. An example is Stadler v Currys Group Ltd [2022] EWHC 160 (QB), whereby a refurbished device was resold without a factory reset to remove the previous users purchase details, leading to a £3.49 purchase being made on the user’s account. The Claimant issued high court proceedings seeking £5,000 in damages for breach of confidence, misuse of private information, negligence and breach of data protection law, seeking injunctive relief. The defendant made an application to strike out the claim and was successful save for the breach of data protection law. The judge also transferred the claim down from the High Court to the County Court and suggested that the small claims court was the appropriate allocation.

In some cases the data breached is sensitive, such as medical records, identity documents, bank details, etc. In these cases, there will be a substantial claim for damages.

Due to the relatively recent developments in technology and the sensitive nature of such claims, there is limited case law detailing the quantum of awards of damages. Many cases settle before they reach the courts. Each case will be assessed on its own merits and due to the individual nature of a claim for distress, a group of individuals who have suffered the same category of data being breached may receive different awards.

Generally, damages for breach of data will be awarded within the following guidelines

  • Personal details (home or email address, date of birth, etc) – £1,000 to £1,500
  • Medical information (depending on who it is disclosed to/the nature of the information) – £2,000 – £5,000
  • Financial information (depending on who it is disclosed to/the nature of the information) £3,000 to £7,500

If you have suffered as a result of a breach of your personal data, please contact us via telephone on 0151 328 1968 or via email at clerks@elysium-law.com to have a discussion with the team. We will have a free, no obligation discussion with you to help determine the merits of your claim and can advise you on the next steps if you wish to pursue it further.