A data breach can happen to any organisation. According to the latest IT Governance data, there were 1,243 security incidents in 2021, an 11% rise from the 1,120 reported in 2020. As a result, 5.13 billion records containing sensitive information were compromised.
Finding out your data can be hacked can be concerning, but there are steps you can follow to mitigate the consequences of the breach and contain the spread of your sensitive data.
The following guide will help you in preparing to respond to a breach efficiently, or outline the actions you can take if you suspect there has already been a breach of personal data. Whether an email was forwarded to the wrong person, your laptop was stolen, or an online account was infiltrated, it is critical that you use your legal rights to protect your data the best you can.
Who safeguards my data?
The Information Commissioner’s Office (ICO) is the UK government body in charge of maintaining data rights in the public interest and protecting individual data privacy rights.
The ICO enforces the Data Protection Act 2018, which outlines how organisations, businesses, and the government must handle your personal data. The latter is based on the General Data Protection Regulation (GDPR), the EU’s equivalent of the Data Protection Act, which means both laws have many similarities.
According to the ICO, all organisatios that process personal data must fulfil the requirements known as “data protection principles”, and ensure that the information they store and handle is:
- Used legally, fairly, and openly
- Used only for intended purposes
- Not stored for any longer than necessary
- Adequately safeguarded by using security measures to prevent unauthorised or unlawful processing, loss, destruction, or damage
The ICO, in particular, takes the protection of personal data privacy very seriously. They take particular measures to protect data that discloses an individual’s:
- Political convictions
- Union membership
- Sexual orientation
How soon must a company report a breach?
The law states that a data breach must be disclosed to the ICO within 72 hours. The company or data controller must report it within this timeframe so that it can be logged and examined in compliance with the law.
The breach must be reported on the ICO website by the data controller. The 72-hour period begins when they first hear of the breach, not when it occurs. Failure to inform the ICO reduces the chances of ever recovering any of the lost personal data.
However, by seeking legal assistance, you can ensure that the breach is properly investigated, that you understand your rights, and increase your chances of receiving compensation if the company holding your data was found to be at fault for the breach.
If you decide to seek compensation, making a detailed record of what happened can help you offer solid evidence. Such logs can significantly support your claim that your data was improperly used and stored.
Once the ICO receives the report, it can start its investigation. The controller must keep a journal detailing the circumstances of the breach, including a timeline of what happened and why, who was involved, how events evolved, and what steps they took in response to the breach.
If the ICO has a complete picture of the facts surrounding the breach, it can respond promptly and efficiently.
Finding out what happened to breached data can help to reduce its spread. If possible, retrieve the data as quickly as possible from your end. Your data controller must take the appropriate safeguards to protect everyone who might be at risk of future breaches too, but you may be able to contain the spread to some extent.
You may be able to take practical steps to remove any danger depending on the nature of the breach. For example:
- If your data controller mistakenly sent critical information to someone, you can ask them to follow up to delete it or send it back securely.
- The controller could retrace their steps to determine where the breach occurred, identify any security weaknesses or operational issues that may have contributed to the intrusion, and fix them.
- If a digital asset was stolen and its data can be remotely erased, you should do it right away to decrease the risk that sensitive information falls into the wrong hands.
Know your legal rights
If you believe your data has been unfairly used or is not being kept safe, you should alert the organisation that holds it directly so that they can take appropriate response action. If you are dissatisfied with their answer, or believe that more action is required to respond to the breach, you should contact the ICO.
If a firm breached data privacy rules and you suffered as a result, you have the right to start a data breach claim for compensation under the Data Protection Act 2018.
Do I have a claim for compensation following a data breach?
In the event of a breach of sensitive data, the organisation responsible for data control may be held liable and ordered to pay compensation. This will usually involve cases where the private data was not already in the public domain, such as sensitive financial or medical information. In such cases, you should consult with an expert in data breach law about your situation to establish whether you have a valid case.
As we explained, the ICO can investigate a data breach and try to figure out who is legally responsible. A favourable ICO ruling determining that the other party abused your data would considerably improve your compensation claim, although this is often a lengthy process.
You do not need to go via the ICO or wait for the conclusion of its investigation to file a claim against an organisation for a data breach; you can do so directly with the party at fault since they will be liable for paying compensation, not the ICO.
Organisations may try to minimise their obligations and responsibilities to secure your data, or they may suppress information regarding the extent of a breach. As a result, seeking legal advice from those with expertise in data breaches can guarantee that your legal rights are protected and that your claim is thoroughly investigated. You can find more tech advice on the Enostech security page.