UK-GDPR (General Data Protection Regulation)- Personal Data Breach

In anticipation of Brexit, a new domestic data privacy law called the UK-GDPR took effect on January 31, 2020, alongside the Data Protection Act of 2018 and the PECR which governs all processing of personal data inside the United Kingdom.

The UK-GDPR is similar to the EU’s GDPR. It requires your website to obtain explicit consent from users before processing their personal data via cookies and third-party trackers. Then it requires you to securely retain and document each valid consent, as well as allowing users to change their consent as simply as they gave it. It also gives a set of rights to UK users, chief among them the right to delete and the right to have corrected already collected personal data.

What is a Personal data breach?

  • A personal data breach means a breach of security leading to accidental or unlawful destruction. It may also be for the loss, alteration, unauthorized disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. Personal data breaches can include:
    1. Access by an unauthorized third party.
    2. Deliberate or accidental action (or inaction) by a controller or processor.
    3. Sending personal data to an incorrect recipient.
    4. Loss or theft of computers containing personal data.
    5. Alteration of personal data without permission and
    6. Loss of availability of personal data.
  • A data breach occurs when the data for which your company/organization is responsible suffers a security incident resulting in a breach of confidentiality, availability, or integrity. In short, there will be a personal data breach whenever any personal data is accidentally lost, destroyed, corrupted, or disclosed. if someone accesses the data or passes it on without proper authorization or if the data is made unavailable and this unavailability has a significant negative effect on individuals.

What data does your organisation hold?

  • Identifying what data your organization holds, where it comes from, and what you do with it is a crucial part of the UK-GDPR compliance. This could include data such as-
    1. Names, email addresses, address records.
    2. Bank details, credit card details, mobile phone numbers.
    3. Data on social media, internal/external employee, supplier, and client data.
    4. What Offices internationally hold, marketing and order history in the Cloud, third parties information shared.

What must a company do when there’s a data breach?

  • Data breaches only need to be reported if they pose a risk to the rights and freedoms of natural living persons. This generally refers to the possibility of affected individuals facing economic or social damage (such as discrimination), reputational damage, or financial losses. Most data breaches fit into this category. But those that do not include information that is linked to a specific individual are unlikely to pose a risk. Whether you are required to report a data breach or not, the GDPR mandates that you keep a record of it. In case, it poses a risk to the rights and freedom of the people then, the company must-
    1. Notify the ICO (in the UK) of certain types of data protection breaches.
    2. Report such breaches without undue delay and within 72 hours of becoming aware of the breach, where feasible (even if you do not have all of the details yet).
    3. Where the breach poses a high risk of adversely affecting individuals’ rights and freedoms, notify the individual of the breach without undue delay.
    4. Keep a full internal breach register. Organizations that do not already have internal procedures for managing data protection breaches should consider adopting formal procedures.

How to complain and claim compensation?

  • The GDPR gives you the right to claim compensation from an organization if you have suffered damage. As a result of it breaking data protection law. This includes both material damage (e.g. you have lost money) or non-material damage (e.g. you have suffered distress). It is not always necessary to have a court claim to obtain compensation. The organization may simply agree to pay it to you. However, if it does not agree to pay, your next step would be to make a claim in court. You should write to the organization before you start court proceedings. Then the court would decide the case. If it agreed with you, it would decide whether or not the organization would have to pay you compensation.
  • It is strongly recommended that you take independent legal advice on the strength of your case before taking any claim to court. We have specialist solicitors who can help you in case of any personal data breach. Also to draft your cookie and privacy policy. And advise on GDPR or do an audit to see that your business is compliant.

For expert legal advice and assistance with claims under the GDPR, contact or WhatsApp us on 07583452230 and we can connect you to the right data protection specialist. Visit to find out more about how we can help you with our other business services, check our 5-star testimonials and watch our Youtube channel or listen to our podcasts. If you find this information useful, please follow our social media platforms, like, and share.