Data Breach Claims and Privacy

We will help you bring or defend claims relating to breaches of personal data and privacy.

As an organisation, it is key to implement processes to ensure any personal data you can access is handled fairly and properly. If these processes fail due to human error or cyber-crime, you could face financial or reputational consequences. The introduction of the Data Protection Act 2018, which substantially increased the fines and risks of non-compliance, has made this issue more pressing than ever.

The unauthorised disclosure of personal data can be distressing and have a significant impact on your life, especially if it is released into the public domain. Often the full implications of a breach may not be discovered for some time after it has occurred.

As an individual, if your personal data has been breached, legal options are available. Under the Data Protection Act you can proceed with a claim for damages in cases where the only impact of a data breach is the distress you have suffered, but this is a complex area of law to navigate.

We go the extra mile to maximise your chances of successfully bringing or defending a claim. Our team has the legal expertise, practical advice and support you need to manage the consequences that may arise as a result of a breach and address any associated damage claims. We offer an array of bespoke funding options to suit your needs and case.

Our Regulatory team includes lawyers who specialise in data breach matters. They work closely with our Litigation, Commercial, and Data Protection teams to get the job done.

We act for both claimants and data controllers, and work with organisations across various sectors such as tech, healthcare and recruitment.

In this section

Regulatory & Professional Conduct

FAQs

What is personal data?

The European General Data Protection Regulation defines ‘personal data’ as any information relating to an identified or identifiable natural person. This typically includes a person’s name, address and date of birth, as well as a number of other details.
What is a data breach?

A personal data breach is a breach of security which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
What does processing my personal data mean?

The processing of data includes collecting, recording, storing, deleting or using said data to analyse, combine or disclose it to others.
How should my personal data be processed?

The European General Data Protection Regulation (GDPR) requires that your personal data should be processed lawfully, fairly and in a transparent manner to you. You must have consented to the processing of your personal data for one or more specified purposes.
The processing of your personal data must be necessary for compliance with legal obligations and be necessary for the purposes of legitimate interests, except in certain limited circumstances. The full process is outlined in GDPR legislation.
What happens if there is a data breach of my personal data?
You should be contacted by the data controller and the data controller should also report the data breach to the Information Commissioner’s Office (ICO). The ICO is the supervisory authority for data protection in the UK.
You should be told:
the name and contact details of the data protection officer;
the anticipated consequences of the data breach; and
the steps taken, or to be taken, to address the data breach. This should include the steps to mitigate any possible adverse effects as appropriate.
What is the Data Protection Act 2018?

The European General Data Protection Regulations (GDPR) created a data protection regime that applies to most UK businesses and organisations.
The Data Protection Act 2018 enacts GDPR into UK Law.
GDPR legislation has direct effect, but the Data Protection Act 2018 makes provisions for how this legislation will be applied in the UK and introduces UK-specific additional measures.
In conjunction with existing common law on privacy and confidence, the Data Protection Act 2018 governs the law applying to the processing of your personal data.
Who can bring a claim in relation to a data breach?

Any individual can potentially bring a claim in relation to a data breach concerning their personal data, by a party who has processed that personal data or who controls it. That person is known as the ‘data subject’.
A data controller is the person who decides how and why to collect and use personal data. Generally speaking, the data controller’s duties are wider than the duties of someone who processes personal data.
What remedies can be sought for a data breach?

The primary remedy that a court will consider will be an award of damages.
Any award for damages should take into account the loss of control of formerly private information. A claim for damages under the Data Protection Act is permissible even when the only impact on the claimant had been distress.
The award of damages by the courts is dependent on the individual circumstances of a particular data breach.
Depending on the nature of the data breach, it may also be appropriate to consider applications to the court for injunctive relief.
What are the time limits for bringing a claim?

The limitation period for making a data protection claim is currently six years.
What funding options are available to bring a claim?
There are various methods that we can arrange with you in order to fund the legal costs associated with a claim, including:
‘No win, no fee’ agreements
Deferred fee agreements
Hourly rate retainers
Fixed costs
Depending on the type of case you have, the merits of the case and the stage it is at when you bring it to us, we may be able to offer you more than one of these options to fund the legal costs associated with your case. We ensure that the funding options available are suitable to your needs and circumstances.
In the majority of cases, a successful claim or defence of a claim results in your opponent being ordered to pay your legal costs.
How do ‘no win, no fee’ and ‘deferred fee’ arrangements work?

If your case has sufficiently good prospects of success, we may be able to work for you under a Conditional Fee Agreement, commonly known as a ‘no win, no fee’ arrangement or a CFA.
This means that we would undertake the work on the case, up to an agreed stage (which may be the end of proceedings or settlement) without payment and only be entitled to payment for our fees if the claim is successful (either at court or by settlement). In those circumstances, we would also be entitled to a success fee to reflect the work done and the risk taken.
We can also consider entering into ‘deferred fee agreements’ where we agree to defer payment of our fees for a period of time, while court proceedings or settlement discussions take place.
Who pays the costs of a claim?

The payment of costs depends on a number of factors, including the type of claim, the conduct and position adopted by the parties and importantly, whether one of the parties has succeeded over the other.
However as a general rule, the losing party pays the winning party’s costs, subject to the assessment of those costs as to reasonableness and proportionality by the court.
As there is a risk in any litigation, we will discuss with you whether you wish to take out an ‘after the event’ insurance policy to cover the payment of any adverse costs awarded against you should the claim be unsuccessful.
What next?

If you have any other questions or wish to discuss a potential case, please contact one of our team below or complete our enquiry form, and one of our experienced solicitors will be happy to talk to you on a no-cost, no obligation basis to see how we may be able to help you.

Latest news & events

Data Protection Day 2024 — How your business can keep up with evolving regulations

Organisations must regularly assess and prioritise their data protection practices to remain compliant with legislation.
Data protection – what’s in a dog’s name?

A previous ICO (Information Commissioners Office) case highlighted that a dog’s name could lead to an individual’s...
Data Protection Day and the year ahead

We look ahead to likely developments in data protection regulations in 2023.
Another finding against Meta for GDPR breaches

The DPC investigation followed complaints about Meta's Terms of Service updates for Facebook and Instagram users.
Meta fined by Data Protection Commission for breaches

Meta has received a significant fine from the Data Protection Commission in Ireland for breaches of GDPR regulations.
Interserve fined £4.4 million for GDPR breach

The ICO found the firm had failed to implement appropriate technical and organisational measures to protect data.
When can compensation be awarded as a result of data protection breaches?

An Austrian court ruled that compensation would not be awarded for emotional harm caused by data protection breaches.
DPC and Ark Life: Security measures for handling personal data

A good privacy framework and governance system is the key to demonstrating compliance with data protection legislation.
GDPR to be replaced with a 'British-friendly' data protection system?

The planned system aims to be clearer and simpler for businesses to navigate, whilst still protecting consumer privacy.
British Airways hit with £20 million fine for 2018 data breach

British Airways has been fined £20 million by the Information Commissioner’s Office (“ICO”) – the biggest...Read more.
NCSC Report highlights increasing Cyber Threat to the Sports Industry

The National Cyber Security Centre (NCSC) has published a report on the increasing cyber threat to the sports industry.
Dixons Carphone

Dixons Carphone were handed the largest possible fine for a widespread data protection breach.