What Can You Do If a Company's Data Breach Affects You?
If your personal data has been exposed in a data breach, you have rights to be notified, to complain, and in some cases to claim compensation.
Quick Answer
If you are affected by a data breach, you should receive notification from the organisation within 72 hours (or as soon as reasonably practicable if the breach is ongoing). You can complain to the ICO, request information about the breach via a DSAR, and potentially claim compensation for distress or financial loss suffered as a result of the breach.
Full Explanation
A personal data breach is a security incident in which personal data is accidentally or unlawfully destroyed, lost, altered, disclosed, or accessed without authorisation. UK GDPR imposes obligations on organisations to manage breaches responsibly.
Organisations must notify the ICO of a serious breach within 72 hours of discovering it. They must also notify affected individuals 'without undue delay' where the breach is likely to result in a high risk to their rights and freedoms. The notification must include: the nature of the breach; the categories of data affected; the likely consequences; the measures taken; and contact details for the DPO.
As an affected individual, your rights include: the right to receive notification from the organisation (if the risk is high enough); the right to make a DSAR to find out exactly what data was affected; the right to complain to the ICO; and the right to claim compensation under UK GDPR Article 82 for any material or non-material damage suffered.
Compensation claims are becoming more common. In the landmark case of Lloyd v Google LLC [2021] UKSC 50, the Supreme Court clarified that individuals cannot claim compensation for the mere fact of a data breach without demonstrating some damage. However, distress arising from a breach is compensable, and claims can be brought by individuals in the county court or, in sufficiently large cases, as representative actions.
If the breach has resulted in identity theft, fraud, or financial loss, you should also: contact your bank and card providers immediately; register with CIFAS (the UK's Fraud Prevention Service) to place a protective marker on your credit file; and report to Action Fraud (the national reporting centre for fraud and cybercrime).
Legal Basis
- §UK GDPR, Articles 33–34 (breach notification obligations)
- §UK GDPR, Article 82 (compensation)
- §Data Protection Act 2018, section 168
- §Lloyd v Google LLC [2021] UKSC 50 (individual claims)
What To Do
Confirm the Nature of the Breach
Review the notification from the organisation carefully. If you have not received a notification but believe you are affected, submit a DSAR asking for details of any breach affecting your data and what security measures have been taken.
Take Immediate Protective Steps
Change passwords on any affected accounts and on any other accounts using the same password. Enable two-factor authentication. If financial data was exposed, contact your bank and consider placing a fraud alert on your credit file via CIFAS.
Report to Action Fraud
If the breach has resulted in fraud or identity theft, report to Action Fraud (0300 123 2040 or actionfraud.police.uk). This creates a formal record and may trigger a police investigation.
Complain to the ICO
If the organisation has failed to notify you appropriately, has not taken the breach seriously, or has been negligent in its security practices, complain to the ICO. The ICO can investigate and take enforcement action.
Claim Compensation if Damage Resulted
If you have suffered financial loss or significant distress as a result of the breach, consider a claim for compensation under UK GDPR Article 82. A county court claim is straightforward for lower-value claims; specialist data breach solicitors handle larger claims on a no-win no-fee basis.
Important Deadlines
Important Warnings
The Supreme Court decision in Lloyd v Google means that mass claims based on the mere fact of a breach (without individual damage) are unlikely to succeed — each claimant must show personal damage.
Be alert to phishing emails following a data breach — criminals often exploit breach publicity to send convincing fraudulent emails posing as the affected organisation.