Table of Contents
This is Money asked James Quartermaine, legal director at commercial law firm Doyle Clayton, how easy it is to get redress if your information has been leaked.
What options do I have if my data has been leaked?
James Quartermaine says: ‘If a company has failed to take adequate measures to secure your personal data, and that data has been leaked as a result of a data breach, the UK GDPR gives you the right to claim compensation for “material damage” if you suffer financial damage has been suffered, loss and ‘immaterial damage’ in which you have suffered suffering.
Everything is relative: James Quartermaine says that the amount you are entitled to depends on the suffering caused
‘In some cases you may be able to agree appropriate compensation with the organization responsible for the breach, but if that is not possible you may want to consider going to court.’
Quartermaine added that you can file a complaint with the Information Commissioner’s Office, which he said could take regulatory or financial action against the data controller.
“While the ICO has draconian powers to impose fines on companies that have failed to protect personal data, it does not have the power to award you financial compensation as a victim of the breach,” he said.
How do I know if my data has been leaked, and by which company?
“It is the responsibility of the responsible company to contact you,” Quartermaine said. “If companies become aware that they have suffered a data breach that poses a high risk to the rights and freedoms of individuals, they have a duty to inform those affected without undue delay.”
According to Quartermaine, companies must provide details of their data protection officer, as well as the possible consequences of the data breach in question, and the action they plan to take to mitigate the negative impact.
“This should include advice on steps you can take to protect yourself and details of any help they wish to offer you,” he said.
What compensation am I entitled to?
“There is no one-size-fits-all approach to assessing damages, and the precise amount will often depend heavily on the facts of each individual case,” Quartermaine says.
‘A lot will depend on the sensitivity of the leaked data. For example, leaking medical information or sensitive information about children will usually result in a higher level of reward.
‘If you can prove that you have suffered financial damage as a direct result of the violation, you can claim that damage.
‘However, in many cases people will not be able to prove any direct financial loss, but will instead seek compensation for the distress, anxiety or frustration they have suffered.
‘Damages alone have not traditionally resulted in large damages awards and the UK courts have taken the approach that a threshold of severity must be crossed before any damages can become payable. Judges have been increasingly willing to strike down “trivial” data claims that do not cross the threshold of severity.”
Is it worth it?
The amount you can receive as a result of a damage claim depends on the extent of your suffering as a result of the leak. And according to Quartermaine, this is assessed in relation to other types of cases involving suffering.
‘When assessing distress damages in data breach cases, judges will take into account the level of awards for psychiatric or mental harm in personal injury cases, to ensure that an award is not disproportionate to the amounts awarded there’ , he says.
‘Previous case law suggests that the starting point for an award for distress alone in data cases at the lower end of the ‘severity’ spectrum may be somewhere between £750 and £1,000.’
‘In such cases, claims are usually allocated to the small claims process of the County Court. “Clearly, if there are aggravating factors and there is serious suffering or psychological impact on an individual, the rewards will be much higher.”
However, that doesn’t mean it’s not worth filing a claim, especially if your finances have suffered.
‘If you have been the victim of a data breach and you can demonstrate that it has caused you significant distress or financial loss, then you are likely to have the basis for a successful claim for compensation.
‘If you cannot agree damages with the controller you may need to consider taking legal action, but any legal action can be stressful so obtaining specialist legal advice before doing so is strongly recommended,’ says Quartermaine.