My personal data has been lost after a breach, what are my rights?

If you become aware that an organisation has lost your personal data, there are steps you can take to protect yourself and, in some cases, claim compensation following a data breach.
Lauren Deitz

What data do organisations hold about me?

More and more organisations now hold a greater amount of information about us. This could include data such as:

  • your name
  • your address
  • your date of birth
  • your email address
  • your telephone numbers
  • your credit card details
  • your bank details
  • your password(s).

What counts as personal data may include more than you initially realise – our guide explains what personal data is according to UK data protection law.

What is a data protection data breach?

A personal data breach is when protected personal data is accidentally or deliberately destroyed, lost, altered, disclosed or accessed without permission, usually as a result of a security incident. 

Personal data breaches you most often hear about are those where an unauthorised third party, such as a hacker, has gained access. Another data protection breach example is when technology containing personal data is lost or stolen.

But it's also a personal data breach when companies send your personal data to someone else without your consent, or when your data is altered without your permission.

If you become aware that an organisation has lost your personal data as a result of a breach, there are steps you can take to protect yourself and, in some cases, claim compensation.

What must a company do when there's a data breach?

If a company has lost your personal data as a result of a data breach, the company has data protection procedures it must take. 

If there is a serious breach of your personal data which is likely to result in a high risk to your rights and freedoms, in most circumstances the company is obligated by the Data Protection Act 2018 (GDPR) to tell you without undue delay.

The organisation has to establish the likelihood and severity of the risk to your freedom and personal data rights following a breach.

The company should explain to you:

  • the name and contact details of its data protection officer or other contact point that can provide more information
  • a description of the likely consequences of the personal data breach
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, the measures taken to mitigate any possible adverse effects.

Change your passwords

If your data has been lost and you use the same or similar login information - such as passwords and usernames - for other websites or online accounts, you should change those details immediately.

Key Information

What's a strong password?

  • At least eight characters long
  • Doesn't contain your username, real name or company name
  • Doesn't contain a complete word
  • Significantly different from your other passwords
  • Contains a combination of cases, numbers, letters and symbols.

Read more: how to create secure passwords

Keep an eye on your bank accounts and credit report

You may want to keep a close eye on your bank accounts and other online accounts over the next few months, particularly if you think the breach involved any financial details or details that a scammer could use to commit identity fraud.

If you see anything unusual, contact your bank immediately and explain that you've been the victim of fraud.

If you're not happy with the way your bank deals with your complaint, you can refer it to the Financial Ombudsman Service (FOS).

It's also important to check your credit report with the three main credit agencies - Call Credit, Experian and Equifax - to ensure credit isn't taken out in your name.

If you find that any of the above has happened, you should also contact Action Fraud as soon as possible.

Action Fraud is the UK’s national fraud and internet crime reporting centre and it can be reached on 0300 123 2040 or via the Action Fraud website.

Be aware of scams

If you're contacted by anyone over the phone asking you for personal details or passwords (such as for your bank account), take steps to check their true identity.

Ask them to give you details that only that company they claim to be calling from would know. For example, details of your service contract or how much you pay per month.

If you still have concerns about the caller's identity, you should hang up and call the company back.

If possible use a different telephone to check the validity of the phone call.

Bear in mind that scammers may have access to more of your personal information than seems normal. So if you are at all suspicious hang up the phone, look up the organisation's number and call it yourself.

Read our guide on phone scams for more information on how to protect yourself from fraudsters and how to report a nuisance call.

How to complain and claim compensation

Organisations are bound by the Data Protection Act 2018 (GDPR) to keep your data secure.

This means that they must take measures to prevent unauthorised or unlawful processing of your personal data.

They must also protect against accidental loss or destruction of, or damage to, your personal data.

If your data is lost and it causes you financial damage or distress, you may be able to make a claim for compensation from the organisation that lost it.

1. Complain to the company that lost your data

If you’ve suffered distress or financial  loss as a result of your data being compromised, the first thing you must do is contact the organisation that you believe is responsible.

Outline what distress and/or losses you’ve suffered, and how you expect it to compensate you. It's important to note that you can now make a claim relating to distress alone - you do not need to have also suffered financial loss.  

2. Complain to the ICO

You can also take your concerns with how the organisation processed your data to the Information Commissioner’s Office (ICO).

By law, the ICO can't award compensation or give advice on the level of compensation that should be due, even when it has said that in its view the organisation did indeed breach the GDPR. But its opinion can be influential in making your claim against the organisation that has compromised your data.

3. Go to the small claims court

If you can't agree with the organisation that compromised your data on the fact that you are due compensation, or on the level of compensation, you can make a claim via the small claims court. 

A good piece of evidence to to take to court is if the ICO agreed with you that the GDPR was indeed breached

You can use our advice on how to make a claim in the small claims court.

Related articles